Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

OnBehalfOfCredentials giving error due to missing x5c claim in the JWT header #27646

Closed
sasohail opened this issue Mar 18, 2022 · 6 comments
Closed

OnBehalfOfCredentials giving error due to missing x5c claim in the JWT header #27646

sasohail opened this issue Mar 18, 2022 · 6 comments
Assignees
@christothes @schaabs
Labels
Azure.Identity Client This issue points to a problem in the data-plane of the library. customer-reported Issues that are reported by GitHub users external to the Azure organization. needs-team-attention Workflow: This issue needs attention from Azure service team or SDK team question The issue doesn't require a change to the product in order to be resolved. Most issues start as that

Comments

@sasohail
Copy link

Getting below error even after setting the OnBehalfOfCredentialOptions.SendCertificateChain = true

MsalServiceException: A configuration issue is preventing authentication - check the error message from the server for details. You can modify the configuration in the application registration portal. See aka.ms/msal-net-invalid-client for details. exception: AADSTS700027: Client assertion contains an invalid signature. [Reason - The key was not found., Thumbprint of key used by client: '815C0F457ABD378599BC9310F9713C6DC581C74F',Please visit the Azure Portal, Graph Explorer or directly use MS Graph to see configured keys for app Id '7255edad-9269-44d0-b153-92ceffbf86fa'. Review the documentation at docs.microsoft.com/en-us/graph/deployments to determine the corresponding service endpoint and docs.microsoft.com/en-us/graph/api/… to build a query request URL, such as 'graph.microsoft.com/beta/applications/…. Alternatively, SNI may be configured on the app. Please ensure that client assertion is being sent with the x5c claim in the JWT header using MSAL's WithSendX5C() method so that Azure Active Directory can validate the certificate being used. Trace ID: 7aaf56e0-ca8d-48b6-8103-9de701ba6000 Correlation ID: 796539b1-465c-4552-84f7-b72468ed907d Timestamp: 2022-03-14 16:41:35Z

Same app works successfully with MSAL
var msalResult = await this.application.AcquireTokenOnBehalfOf(scopes, new Identity.Client.UserAssertion(userToken)).WithSendX5C(true).ExecuteAsync();
return msalResult.ToResult();
@ghost ghost added needs-triage Workflow: This is a new issue that needs to be triaged to the appropriate team. customer-reported Issues that are reported by GitHub users external to the Azure organization. question The issue doesn't require a change to the product in order to be resolved. Most issues start as that labels Mar 18, 2022
@azure-sdk
Copy link
Collaborator

Label prediction was below confidence level 0.6 for Model:ServiceLabels: 'Azure.Identity:0.45487067,KeyVault:0.23919488,Azure.Core:0.06016083'

@jsquire jsquire added Client This issue points to a problem in the data-plane of the library. Azure.Identity needs-team-attention Workflow: This issue needs attention from Azure service team or SDK team labels Mar 18, 2022
@ghost ghost removed the needs-triage Workflow: This is a new issue that needs to be triaged to the appropriate team. label Mar 18, 2022
@jsquire
Copy link
Member

jsquire commented Mar 18, 2022

Thank you for your feedback. Tagging and routing to the team member best able to assist.

@christothes
Copy link
Member

Hi @sasohail - Can you verify that the private key is present in the certificate being used by the OnBehalfOfCredential?

@christothes christothes added the needs-author-feedback Workflow: More information is needed from author to address the issue. label Mar 21, 2022
@ghost ghost removed the needs-team-attention Workflow: This issue needs attention from Azure service team or SDK team label Mar 21, 2022
@sasohail
Copy link
Author

@christothes. The private key is present. this works fine when using ClientCertificateCredentials.
Also we are able to do onBehalf flow using MSAL with same app id and certificate.

@ghost ghost added needs-team-attention Workflow: This issue needs attention from Azure service team or SDK team and removed needs-author-feedback Workflow: More information is needed from author to address the issue. labels Mar 23, 2022
@christothes
Copy link
Member

Thanks - this looks like a duplicate of #27679 - I'm working on a fix now.

@christothes
Copy link
Member

closing as duplicate

@github-actions github-actions bot locked and limited conversation to collaborators Mar 26, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees

@christothes christothes

@schaabs schaabs

Labels
Azure.Identity Client This issue points to a problem in the data-plane of the library. customer-reported Issues that are reported by GitHub users external to the Azure organization. needs-team-attention Workflow: This issue needs attention from Azure service team or SDK team question The issue doesn't require a change to the product in order to be resolved. Most issues start as that
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@jsquire @christothes @sasohail @schaabs @azure-sdk