OpenIdConnectProtocolException: Message contains error: ‘invalid_client’, error_description: ‘AADSTS7000218: The request body must contain the following parameter: ‘client_assertion’ or ‘client_secret’.

We know most of applications will follow the SSO(Single sign-on) Authentication within Organizations. While Implementing SSO Auth process I got the issue like above.

Approach #1:

Here I’m using Tech Stack like below

1. .NET 6
2. ASP .NET Core MVC (i.e. Pre-defined template)
3. Azure

Use Case :

• OpenIdConnect — AuthenticationScheme & OAuth 2.0 ( OIDC is an identity authentication protocol & OAuth 2.0 is an authorization protocol)
• SSO AUTH process: using Microsoft Identity Web authentication library (i.e. Microsoft.Identity.Web).
• Secure Login using OpenID Connect and Azure AD(AAD)
• Register an application in AZURE.
• While Authenticating Expected response_type is code id_token (i.e. Hybrid flow).
• I want to hold the Refresh Token for long-live.

Register an APP in Azure:

• Create your AZURE AD Tenant
• Register your application

Reg -1

Reg -2

APP-Info

Example :

1. Create a default MVC APP by using any terminal (i.e. CMD)

dotnet new mvc --auth SingleOrg --client-id 1f4a20d4-a691-4822-9922-8e2b0d56d884 --tenant-id 64d62c82-9a36-48bf-9e3e-a6578360b90f --domain microsoft.com

2. Go To .csproj file — Remove all other packages & Make sure upgrade the Microsoft.Identity.Web version 2.5.0.

sso.csproj

3. Make sure add below config details.

NOTE: DON’T STORE THE ClientSecret VALUE HERE.

appsettings

4. Add necessary code in program.cs file like below.

Program.cs

After execution of this APP we’ll get the error like below.

This error occurred lack of ClientSecret value. We’re providing client secret value even though we’re facing this issue.

Error

To fix the above issue we need to pass ClientSecret again TokenEndpointRequest handler on OnAuthorizationCodeReceived OpenIdConnectEvent like below.

builder.Services.AddAuthentication(OpenIdConnectDefaults.AuthenticationScheme)
    .AddMicrosoftIdentityWebApp(option =>
    {
        builder.Configuration.Bind("AzureAd", option);

        option.Scope.Add("offline_access");

        option.ResponseType = OpenIdConnectResponseType.CodeIdToken;

        option.Events = new OpenIdConnectEvents()
        {
            OnAuthorizationCodeReceived = async (context) =>
            {
                if (string.IsNullOrEmpty(context.TokenEndpointRequest.ClientSecret))
                {
                    context.TokenEndpointRequest.ClientSecret = builder.Configuration.GetSection("AzureAd:ClientSecret").Value;
                }
               
                await Task.CompletedTask.ConfigureAwait(false);
            },
            OnTokenResponseReceived = async (context) =>
            {
                var AccessToken = context.TokenEndpointResponse.AccessToken;
                var RefreshToken = context.TokenEndpointResponse.RefreshToken;
                var IdToken = context.TokenEndpointResponse.IdToken;
                var ExpiresIn = context.TokenEndpointResponse.ExpiresIn;

                await Task.CompletedTask.ConfigureAwait(false);
            }
        };
    });

Execute the APP we’ll get the output like below

App — output

Source Code :

GitHub - RamanaReddyV/SSO-AUTH-ISSUE: OpenIdConnectProtocolException: Message contains error…

Ref:

1. https://learn.microsoft.com/en-us/azure/active-directory/develop/sample-v2-code
2. https://learn.microsoft.com/en-us/azure/active-directory/develop/active-directory-v2-protocols
3. https://learn.microsoft.com/en-us/azure/active-directory/develop/v2-protocols-oidc
4. https://learn.microsoft.com/en-in/azure/active-directory/develop/scenario-web-app-sign-user-overview?tabs=aspnetcore