3

For user authentication, I am using the latest @azure/msal-angular package. This angular library is based on the latest MSAL library for AD authentication. But library throws an error given below:

ServerError: invalid_client: 7000218 - [2021-05-14 07:42:54Z]: AADSTS7000218: The request body must contain the following parameter: 'client_assertion' or 'client_secret'.

"@angular/core": "~10.2.4",
"@azure/msal-angular": "^2.0.0",
"@azure/msal-browser": "^2.14.1"

Configuration in app module.

{
    auth: {
      authority: 'https://login.microsoftonline.com/<tenant>/',
      clientId: 'my client id',
      redirectUri: 'http://localhost:4200',
      postLogoutRedirectUri: 'http://localhost:4200/',
      navigateToLoginRequestUrl: false
    },
    cache:{
      cacheLocation: BrowserCacheLocation.LocalStorage
    },
    system: {
      loggerOptions: {
        loggerCallback,
        logLevel: LogLevel.Info,
        piiLoggingEnabled: false
      }
    }
  }

Getting this error when executing below code in OnInit (app component)

this.msalService.instance.handleRedirectPromise().then(response => {
      console.log('response', response);
      if (response !== null && response.account !== null) {
        this.msalService.instance.setActiveAccount(response.account);
      }
    });

Some blogs says like, to change the app type to public type. Is there any other option to resolve this issue?

Rahul
  • 41
  • 1
  • 1
  • 3
  • Which authentication flow are you using? – Carl Zhao May 14 '21 at 13:19
  • 1
    Do you follow this [tutorial](https://learn.microsoft.com/en-us/azure/active-directory/develop/tutorial-v2-angular)? If so, you need to set the redirect URI used in your app to be of type "Single Page Application" in the Azure Portal. – unknown May 15 '21 at 07:55
  • Are you using username/password flow? – Carl Zhao May 17 '21 at 07:24
  • @CarlZhao implicit grant flow – Rahul May 17 '21 at 11:40
  • @PamelaPeng I have implemented same as in the tutorial. But when I call the aquaireTokenSilent method, getting an error "AADSTS50058: A silent sign-in request was sent but no user is signed in. The cookies used to represent the user's session were not sent in the request to Azure AD. This can happen if the user is using Internet Explorer or Edge, and the web app sending the silent sign-in request is in different IE security zone than the Azure AD endpoint (login.microsoftonline.com)." in chrome incognito window. – Rahul May 17 '21 at 13:38
  • @PamelaPeng If I allow the third party cookies, it works fine. Is this a know issue? I there any way to solve this issue. – Rahul May 17 '21 at 13:38
  • Is there an update? – Carl Zhao May 28 '21 at 02:30
  • If you don't want to [enable public client flows](https://stackoverflow.com/questions/45609432/how-do-i-resolve-the-error-aadsts70002-the-request-body-must-contain-the-follow) then you have to rewrite your code to use a secret/private key. – TylerH Mar 10 '22 at 17:53

1 Answers1

2

Your error should be this:

enter image description here

The reason for this error is that you are sending a silent request, but you have not logged in to the user first. There are two ways to solve this problem:

    1. Send a login request before requesting the token.
    1. Use Implicit grant and hybrid flows to execute the dynamic login request directly in the browser, and you can directly obtain the id token and access token in the browser.
https://login.microsoftonline.com/{tenant id}/oauth2/v2.0/authorize?
client_id={client_id}
&response_type=id_token token
&redirect_uri={redirect_uri}
&scope=openid {api resource scope}
&response_mode=fragment
&state=12345
&nonce=678910
Carl Zhao
  • 8,543
  • 2
  • 11
  • 19