[Supportability] When "AADSTS7000215: Invalid client secret provided" detect if this the secret is available in both the User secrets and the appsettings.json

[munkii]

Which version of Microsoft Identity Web are you using? Microsoft Identity Web 1.24.1

Where is the issue?

• Web app
  • [ ] Sign-in users
  • [ ] Sign-in users and call web APIs
• Web API
  • [ ] Protected web APIs (validating tokens)
  • [ ] Protected web APIs (validating scopes)
  • [ ] Protected web APIs call downstream web APIs
• Token cache serialization
  • [ ] In-memory caches
  • [ ] Session caches
  • [ ] Distributed caches
• Other (please describe) Azure Function (TimerTrigger) calling downstream web API

Is this a new or an existing app? This is a new app or an experiment.

Repro

Azure Function v3 trying to call one of our protected ASP.NET Web APIs

The configuration for the Azure Funciton is in local.settings.json

{
  "IsEncrypted": false,
  "Values": {
    "AzureWebJobsStorage": "UseDevelopmentStorage=true",
    "FUNCTIONS_WORKER_RUNTIME": "dotnet",
    "AzureAd:Instance": "https://login.microsoftonline.com/",
    "AzureAd:Domain": "ourdomain.co.uk",
    "AzureAd:TenantId": "{OURTENANT_GUID}",
    "AzureAd:ClientId": "{CLIENTID_FORTHE_AZUREFUNCTION_REGISTERED_IN_AZUREAD}",
    "AzureAd:Audience": "https://ourdomain.co.uk/appidforthe.azurefunction",
    "AzureAd:ClientSecret": "{THE_CLIENT_SECRET_FROM_AZURE_AD_FOR_AZUREFUNCTION}",
    "NotificationApi:BaseAddress": "https://protectedapi.azurewebsites.net/api/",
    "NotificationApi:Scopes": "https://ourdomain.co.uk/breathe.protectedapi-service/.default"
  }
} 

I am trying to call the protected api from the Azure Function. I have configured the protected API so that it has an AppRole. I then configure the Azure Function in Azure AD so that it has an API permission to that AppRole.

When I am ready to call the protected WebAPi i run the follwoing code in the AzureFunction to get a token.

var accessToken = await this.tokenAcquisition.GetAccessTokenForAppAsync(this.notificationServiceScope);
this.httpClient.DefaultRequestHeaders.Authorization = new AuthenticationHeaderValue("Bearer", accessToken);
this.httpClient.DefaultRequestHeaders.Accept.Add(new MediaTypeWithQualityHeaderValue("application/json"));

Expected behavior I expect to get an AccessToken

Actual behavior I get the following error

Microsoft.Identity.Client.MsalServiceException: 'A configuration issue is preventing authentication - check the error message from the server for details. You can modify the configuration in the application registration portal. See https://aka.ms/msal-net-invalid-client for details. Original exception: AADSTS7000215: Invalid client secret provided. Ensure the secret being sent in the request is the client secret value, not the client secret ID, for a secret added to app '{CLIENTID_GUID_OF_AZUREFUNCTION}'.

I have checked and the secret that is configured at AzureAd:ClientSecret in local.settings.json is correct

I have also asked about this is on StackOverflow but have gotten no replies, https://stackoverflow.com/questions/72000639/securing-aspnet-core-web-api-for-calls-from-azure-function

Possible solution

Additional context / logs / screenshots / link to code

Add any other context about the problem here, such as logs and screenshots, or even links to code.

[munkii]

Thanks to this issue report https://github.com/AzureAD/microsoft-identity-web/issues/379#issuecomment-666526566 and comment from Jean-Marc and now know that ot was a value in secrets.json that was overriding my config.

Is there no way to detect that the AzureAd:ClientSecret value is double configured when this exception case happens and flag in the Exception report?

[jmprieur]

Thanks for the suggestion of detecting this case, @munkii