@azure/msal-browser PublicClientApplication - AADSTS7000218: The request body must contain the following parameter: 'client_assertion' or 'client_secret'

[paulpopiel]

Library

• [ ] msal@1.x.x or @azure/msal@1.x.x
• [x] @azure/msal-browser@2.12.1
• [ ] @azure/msal-node@1.x.x
• [ ] @azure/msal-react@1.x.x
• [ ] @azure/msal-angular@0.x.x
• [ ] @azure/msal-angular@1.x.x
• [ ] @azure/msal-angular@2.x.x
• [ ] @azure/msal-angularjs@1.x.x

Framework

• [ ] Angular
• [ ] React
• [x] Other

Description

I have written a Flutter wrapper for the MSAL.js 2.x @azure/msal-browser library. I have followed all the guides for setting up Azure AD and the MSAL configuration for a PublicClientApplication. Using the popup login method, the dialog is correctly displayed for the right tenant/client, I can enter a valid users credentials and they validate with no problem. However, once the sign-in process completes and the popup is dismissed, I am getting the following error:

Error Message

MSAL: invalid_client:7000218 - [2021-03-20 19:32:54Z]: AADSTS7000218: The request body must contain the following parameter: 'client_assertion' or 'client_secret'.

MSAL Configuration

final auth = BrowserAuthOptions()
  ..authority = 'https://login.microsoftonline.com/$tenantId'
  ..clientId = clientId
  ..redirectUri = 'https://localhost:65411';

final configuration = Configuration()..auth = auth;
final publicClientApplication = PublicClientApplication(configuration);

...

const List<String> scopes = ['User.Read'];
final request = PopupRequest()..scopes = scopes;
final response = await widget.publicClientApplication.loginPopup(request);

Azure AD Configuration

Reproduction steps

see above

Expected behavior

I have spent hours looking through stackoverflow and git issues. The key thing missing in most cases, and which I subsequently added was the "Allow public client flows" setting in AAD. However, even after setting this to true the error is still persisting.

Any assistance on the matter would be greatly appreciated. We already have over half a dozen Flutter applications, being used by hundreds of key users, across our enterprise. We have used an MSAL.js 1.x wrapper to date but have been facing too many third-party cookie policy issues on browsers. We need a solution otherwise we may need to consider alternatives.

Any assistance, ideas, suggestions, etc would be greatly appreciated. Thanks!

Identity Provider

• [x] Azure AD
• [ ] Azure B2C Basic Policy
• [ ] Azure B2C Custom Policy
• [ ] ADFS
• [ ] Other

Browsers/Environment

• [x] Chrome
• [ ] Firefox
• [ ] Edge
• [ ] Safari
• [ ] IE
• [ ] Other (Please add browser name here)

Regression

• [ ] Did this behavior work before? Version: n/a

Security

• [ ] Is this issue security related?

Source

• [ ] Internal (Microsoft)
• [ ] Customer request

[paulpopiel]

Ok, some progress and new error message now.

This is what I get for staring at a screen for over 12hrs straight.

Accidentally had the wrong Uri scheme for the localhost, updated it from https to http in both the MSAL and AAD settings.

Now getting the following error:

MSAL: invalid_request:9002326 - [2021-03-20 20:56:07Z]: AADSTS9002326: Cross-origin token redemption is permitted only for the 'Single-Page Application' client-type.

[derisen]

@paulpopiel I'm not well versed in Flutter, but if your app is running on a browser with a dedicated redirect URI than you shouldn't check the "Allow public client flows", which are meant for native mobile & desktop apps usually.

The last error you got (AADSTS9002326) is because you have added both "Single-page application" and "Web" (or some other) platforms in the Authentication blade with the same redirect URI. Either have them different redirect URIs or create a separate app registration for the web platform.

[paulpopiel]

Hi @derisen , regarding "Allow public client flows", if I turn it off/false then I definitely go back to getting the error:

AADSTS7000218: The request body must contain the following parameter: 'client_assertion' or 'client_secret'.

Your point on AADSTS9002326 however - you are correct we do have both Web and SPA redirect URIs setup. However they are not the same (different ports on localhost). Would this still cause issues?

[derisen]

@paulpopiel can you check this guidance on URI differentiation? It talks about localhost but should give insight nonetheless.

[derisen]

And I think AADSTS7000218 is because Azure AD thinks your app is a web app and web apps have client credentials (assertion or secret)

[paulpopiel]

Sorry, I should have elaborated - it is a web app, i.e. Flutter Web.

On the other hand thank you so much for that URI guidance link.

Due to ephemeral port ranges often required by native applications, the port component (for example, :5001 or :443) is ignored for the purposes of matching a redirect URI.

This was the issue! removed all localhost:XXXX Uris from the Web platform in AAD and everything now works! Much much appreciated!

[derisen]

Cheers!

[tnorling]

Closing as resolved.