Bootstrap FreeKB - Microsoft Azure - Resolve "invalid_client"
Microsoft Azure - Resolve "invalid_client"
Updated:   |  Microsoft Azure articles

Let's say you want to get the access token for your "foo" app that has tenant ID ccccccc-1111-2222-3333-cccccccccccccc and client ID aaaaaaaa-1111-2222-3333-aaaaaaaaaaaaa.

 

Here is an example of how to get credentials from https://login.microsoftonline.com using the Python msal (Microsoft Authentication Library).

#!/usr/bin/python3
from msal import PublicClientApplication

tenant_id   = "ccccccc-1111-2222-3333-cccccccccccccc"
client_id   = "aaaaaaaa-1111-2222-3333-aaaaaaaaaaaaa"
authority   = f"https://login.microsoftonline.com/{tenant_id}"
application = PublicClientApplication(client_id=client_id, authority=authority)
token       = application.acquire_token_by_username_password(username='john.doe@example.com', password='itsasecret', scopes=[])

print(f"token = {token}")

 

Let's say invalid_client is being returned, perhaps like this.

response = {
  'error': 'invalid_client',
  'error_description': "AADSTS7000218: The request body must contain the following parameter: 'client_assertion' or 'client_secret'. Trace ID: c00d5b6b-9456-4e4b-95b6-6d7575ca6000 Correlation ID: cf395944-b7d7-49de-870c-7959cc57df66 Timestamp: 2023-12-20 12:28:34Z", 
  'error_codes': [7000218], 
  'timestamp': '2023-12-20 12:28:34Z', 
  'trace_id': 'c00d5b6b-9456-4e4b-95b6-6d7575ca6000', 
  'correlation_id': 'cf395944-b7d7-49de-870c-7959cc57df66', 
  'error_uri': 'https://login.microsoftonline.com/error?code=7000218'
}

 

I would first go to Authentication in Microsoft Azure. If Allow public client flow is set to No, this means basic authentication (username/password) are not allowed. One solution here is to toggle this to Yes to allow basic authentication.

 

Or you may need to instead add client_credential to PublicClientApplication

Here is an example of how to get credentials from login.microsoftonline.com.

#!/usr/bin/python3
from msal import PublicClientApplication

tenant_id     = "ccccccc-1111-2222-3333-cccccccccccccc"
client_id     = "aaaaaaaa-1111-2222-3333-aaaaaaaaaaaaa"
client_secret = "itsasecret"
authority     = f"https://login.microsoftonline.com/{tenant_id}"
application   = PublicClientApplication(
                  client_id=client_id,
                  authority=authority,
                  client_credential=client_secret)

scopes        = ["https://graph.microsoft.com/.default"]
token         = app.acquire_token_interactive(scopes=scopes)

print(f"token = {token}")

 

In this scenario, make sure you have created the client secret for the app.

 

 

Did you find this article helpful?

If so, consider buying me a coffee over at Buy Me A Coffee


Comments


Add a Comment


Please enter ccf94d in the box below so that we can be sure you are a human.