Microsoft-authentication-library-for-dotnet: [Bug] Client Credentials flow with certificate not working with ADFS
Which Version of MSAL are you using ?
4.9
Platform
confidential client
What authentication flow has the issue?
confidential client
Repro
var cca = // create confidential client with certificate
await cca.AcquireTokenForClient(...)
Expected behavior
tokens
Actual behavior
bad cert error
Possible Solution
After investigation with PowerShell team, we believe the aud claim in the signed assertion we send to the authority is wrong. The aud claim should be the token endpoint, but we use the issuer.
bgavrilMS
All 6 comments
This is blocking Azure Stack
bgavrilMS
on 16 Mar 2020
@bgavrilMS : we use the issuer only in the case of ADFS? or even Azure AD?
I agree the audience cannot be the issuer.
jmprieur
on 16 Mar 2020
@bgavrilMS @trwalke @jennyf19 @henrik-me @aiwangmicrosoft
I propose we take a 4.9.1 (with Pop ATS)
jmprieur
on 16 Mar 2020
@jmprieur - given that we had a new feature in that changes the public API (instance metadata uri), I think it has to be called 4.10
bgavrilMS
on 16 Mar 2020
@jmprieur - we use the token_endpoint value for aud for AAD. For ADFS for some reason it is set to use the issuer.
But this isn't the only problem. I think the header that we send is wrong - we use kid but both Wilson and ADAL uses x5t.
bgavrilMS
on 16 Mar 2020
Seems like a regression from PoP? We used to use x5t/x5c (SNI) and did not have the kid previously?
henrik-me
on 17 Mar 2020
Related issues
saketkataruka
路
5Comments
jmprieur
路
5Comments
crmann1
路
5Comments
johanalex566
路
3Comments
jmprieur
路
4Comments
Most helpful comment
@bgavrilMS @trwalke @jennyf19 @henrik-me @aiwangmicrosoft
I propose we take a 4.9.1 (with Pop ATS)