However I have struggled in a production (I'm a Microsoft employee) application trying to get this work so I have created a repro where i can see the same issue. What I have done:
Create a web app taht uses Identity.Web and setup graph downstream api
Added a multi-tenant app (MSA + Org)
Created a keyvault that has a certificate in it
Added that cert to the azure ad app
Try to call graph from my code
When I try to call graph I get the following error:
IDW10109: All client certificates passed to the configuration have expired or can't be loaded. (Parameter 'clientCredentials')
I have double checked and if I run the following command from the cli:
az keyvault certificate show --vault-name sethreid-keyvault --name MultiAuthTest-Self-Signed
And I can get the cert so I don't think its an access issue. I must be missing something or else this just doesn't work as described...
Reproduction steps
I have done a simplified version in my own personal subscription of what I'm trying to do here with everything setup how it should be. If necesary I can add someone as a certificate reader in order to test this yourself.
I would have though since it uses DefaultAzureCredentials that I would be able to fetch the cert I have provided in the appsettings.json but it seems to fail to get the cert.
Microsoft.Identity.Web Library
Microsoft.Identity.Web
Microsoft.Identity.Web version
2.20.0
Web app
Sign-in users and call web APIs
Web API
Protected web APIs call downstream web APIs
Token cache serialization
In-memory caches
Description
I am trying to follow the instructions here to use a certificate for my aad app to call downstream api (graph api):
https://github.com/AzureAD/microsoft-identity-web/wiki/Certificates
However I have struggled in a production (I'm a Microsoft employee) application trying to get this work so I have created a repro where i can see the same issue. What I have done:
When I try to call graph I get the following error:
I have double checked and if I run the following command from the cli:
You can see the app settings here:
https://github.com/sethreidnz/identity-web-client-certificate-issue/blob/main/appsettings.json#L7
And I can get the cert so I don't think its an access issue. I must be missing something or else this just doesn't work as described...
Reproduction steps
I have done a simplified version in my own personal subscription of what I'm trying to do here with everything setup how it should be. If necesary I can add someone as a certificate reader in order to test this yourself.
https://github.com/sethreidnz/identity-web-client-certificate-issue
You will be able to to log in but you will get an error in at this line trying to call graph client
https://github.com/sethreidnz/identity-web-client-certificate-issue/blob/main/Pages/Index.cshtml.cs#L23
Error message
Id Web logs
No response
Relevant code snippets
Regression
No response
Expected behavior
I would have though since it uses DefaultAzureCredentials that I would be able to fetch the cert I have provided in the appsettings.json but it seems to fail to get the cert.