search

AzureAD / microsoft-authentication-library-for-python

Microsoft Authentication Library (MSAL) for Python makes it easy to authenticate to Microsoft Entra ID. General docs are available here https://learn.microsoft.com/entra/msal/python/ Stable APIs are documented here https://msal-python.readthedocs.io. Questions can be asked on www.stackoverflow.com with tag "msal" + "python".
https://stackoverflow.com/questions/tagged/azure-ad-msal+python
Other
756 stars 191 forks source link

AADSTS7000218: The request body must contain the following parameter: 'client_assertion' or 'client_secret'. #551

Closed fieeman closed 1 year ago

fieeman commented 1 year ago

Hi,

im will try to explain what i want to do

i want to download attachment from my outlook mailbox, but my organization has implementing 2FA, so im trying to get a token using the msal lib to use in the microsoft graph api.

so i made this code

app = PublicClientApplication(
    client_id=client_id,
    authority=authority,
)
result = None

accounts = app.get_accounts()
if accounts:
    result = app.acquire_token_silent(scopes, account=accounts[0])
else:
    flow = app.initiate_device_flow(scopes=scopes)
    print(flow['message'])

then i receive this message

To sign in, use a web browser to open the page https://microsoft.com/devicelogin and enter the code XXXXXXXX to authenticate.

to get a token im trying to do this

result = app.acquire_token_by_device_flow(flow)

if "access_token" in result:
    access_token = result['access_token']
    print(f'Access token: {access_token}')
else:
    print(result.get("error_description") or result.get("error"))

but i get this error

AADSTS7000218: The request body must contain the following parameter: 'client_assertion' or 'client_secret'.

I don't know where I should use these parameters.

if you have any suggestions it would be very helpful, thank you for your time.

rayluo commented 1 year ago

It is unfortunate that the error message was vague. You would need to toggle a setting in your app's registration (in Azure Portal) to enable Device Flow.

FWIW, if your app runs on your local desktop, then a better way is to add a Desktop app redirect URI with the value http://localhost into your app's registration, and then you can use MSAL's Desktop app sample from this "map". It works better than Device Flow.

fieeman commented 1 year ago

thanks for your answer, using an application registered in the active directory works fine, but is there any way to get a token without registering an application in the active directory? like when I authenticate through the web?

rayluo commented 1 year ago

I hope you understand that most Q&A community (such as StackOverflow) would appreciate one question per discussion thread, so that the Q&A would be more searchable and beneficial for the future audience.

Since your original question has been answered, let's close this conversation here. Please ask your other generic questions on StackOverflow and the community would help. (You may also send your question link to my email, if your question gets no response within a reasonable time.)