Not able to get Azure AD token in C#

Question

I am trying to get azure ad token with following code

AuthenticationContext authContext = new AuthenticationContext(authority);
string token = authContext.AcquireTokenAsync(resourceUri, clientID, 
                                             new Uri(redirectUri), 
                                             new PlatformParameters(PromptBehavior.Auto))
                          .Result.AccessToken;

but after entering username password and otp for two factor authentication, I am getting the following error

"error":"invalid_client",
"error_description":"AADSTS7000218: The request body must contain the following parameter: 'client_assertion' or 'client_secret'.
Trace ID: 1b452e84-a304-483e-adab-e19d1da28900
Correlation ID: bbcfb9f5-999c-493d-bdea-5ef44c70ac1c
Timestamp: 2023-01-04 03:25:22Z"
"error_codes":[7000218],
"timestamp":"2023-01-04 03:25:22Z",
"trace_id":"1b452e84-a304-483e-adab-e19d1da28900",
"correlation_id":"bbcfb9f5-999c-493d-bdea-5ef44c70ac1c",
"error_uri":"https://login.microsoftonline.com/error?code=7000218"

Please resolve the issue

To resolve the error, create a client secret and pass it while generating the token. — Rukmini, Jan 04 '23 at 03:59
Did you enable `Allow public client flows` in the Azure portal? — Rukmini, Jan 04 '23 at 04:12
I found a similar issue here:https://stackoverflow.com/questions/41730761/authenticationcontext-acquiretokenasync — Tiny Wang, Jan 04 '23 at 04:14
after passing client id ,i am getting token without asking for username and password,i want password only after authentication — rakshith, Jan 04 '23 at 04:46
Can you confirm whether you are passing client secret or client id? — Rukmini, Jan 04 '23 at 04:47
yes,now i change the code by passing both client secret and client id as bellow Microsoft.IdentityModel.Clients.ActiveDirectory.ClientCredential clientCredential = new Microsoft.IdentityModel.Clients.ActiveDirectory.ClientCredential(clientID, client_secret); var authenticationResult = await authContext.AcquireTokenAsync(resourceUri, clientCredential); — rakshith, Jan 04 '23 at 04:49
after above chenges i am getting token without poping up micrfofts username password asking box authenticationResult contains the password — rakshith, Jan 04 '23 at 04:53
Could you confirm which grant flow you are trying to achieve? — Rukmini, Jan 04 '23 at 07:29

wbosland · Answer 1 · 2023-01-04T09:53:54.327

1

The AuthenticationContext.AcquireTokenAsync method is obsolete. To migrate an app using Interactive flow, see https://aka.ms/adal-to-msal-net/interactive

edited Jan 04 '23 at 09:53

answered Jan 04 '23 at 09:47

wbosland

58
5

score 1 · Accepted Answer · answered Jan 04 '23 at 10:40

I tried to reproduce the same in my environment and got the same error as below:

GET https://login.microsoftonline.com/tenantId/oauth2/token

client_id : xxxxxx-xxx-xxx-xxxx-xxxxxxxx
grant_type : password
resource : resource
username : ruk@********.onmicrosoft.com
password : ******

enter image description here

Note that : If the Azure AD Application is not a public client then client_secret is required. To avoid your Azure AD Application as public, you can create and pass the client_secret.

If you want to generate access token without client_secret then Enable Allow public client flows setting in your Azure AD Application:

enter image description here

Generated access token without passing client_secret:

enter image description here

I agree with wbosland, AcquireTokenAsync is obsolete, and you need to make use of MSAL.NET to achieve your scenario by referring this MsDoc:

var authResult = await pca.AcquireTokenInteractive(new[] { "User.Read" })
.WithAccount(accountToLogin) 
.WithParentActivityOrWindow(myWindowHandle) 
.ExecuteAsync();
}

As mentioned by you in the comments, you are making use of Client Credential flow which is meant for service-to-service communication without user interaction.

References:

Acquire a token to call a web API interactively

AuthenticationContext.AcquireTokenAsync Method

Not able to get Azure AD token in C#

2 Answers2