MSAL 3x : AcquireTokenByUsernamePassword not working as documented : Microsoft.Identity.Client.MsalServiceException RRS feed

  • Question

  • Hi 

    WPF, VS2017, MSAL 3x version.

    I am trying an sample to test function AcquireTokenByUsernamePassword().  Following is the code example.I am getting error 

    Error Acquiring Token:
    Microsoft.Identity.Client.MsalServiceException: AADSTS7000218: The request body must contain the following parameter: 'client_assertion' or 'client_secret'.

      private async void MSALUsingScopeUserNamePasswordVersion3_Click(object sender, RoutedEventArgs e)
                string[] scopes = new string[] { "<ResourceID XXXXXX>/user_impersonation" };
                string targetAPIUrl = string.Format("");

                string ClientId = "3c278a32-0202-111c-8b03-xxxxxxxxxx";   
                string Tenant = "xxxxxx-7665-xxxx-8ce2-xxxxxxxxxxxx";

                IPublicClientApplication _clientApp;
                AuthenticationResult authResult = null;

                _clientApp = PublicClientApplicationBuilder.Create(ClientId)
                   .WithAuthority(AzureCloudInstance.AzurePublic, Tenant)

                    var securePassword = new SecureString();
                    foreach (char c in "RealPassword123")        // you should fetch the password
                        securePassword.AppendChar(c);  // keystroke by keystroke

                    authResult = await _clientApp.AcquireTokenByUsernamePassword(scopes, "", securePassword)

                    outputBox.Text = await GetHttpContentWithToken(targetAPIUrl, authResult.AccessToken);
                catch (MsalException msalex)
                    outputBox.Text = $"Error Acquiring Token:{System.Environment.NewLine}{msalex}";

    Please Advice.


    Monday, May 6, 2019 4:57 PM

All replies

  • This error is caused when the client secret or client_assertion is not provided in the request.  Please check if you have registered the client app as Native type and not as Web App/Web API.  If you have registered your application as a WebApp/Web API in ADD then it client secret is required in the request during the authentication.  When the authentication is by user name and password the client app needs to be registered as native.
    Tuesday, May 7, 2019 12:26 AM
  • Hi Saurabh,

    Client app is registered for both Native type and Web App/Web API.    Also  Redirect URL i set to :  urn:ietf:wg:oauth:2.0:oob     in addition to that "allowPublicClient": true

    Could you tell me the method to use to insert client secret .  I am unable to find. 


    Tuesday, May 7, 2019 5:02 AM
  • You need to register the app as native only and in this case you do not need to provided a redirect URI.  You can leave that blank however you need to make "Treat Application as a public client" under Default Client type to Yes in the Authentication section of App registration page.

    Tuesday, May 7, 2019 11:00 PM
  • Saurabh Bhai,

    I already have Default Client type to Yes.   What i don't know is which method or where and how to provide 'client_assertion' or 'client_secret' parameters. Can you throw light on it.

    Secondly why is it necessary to "You need to register the app as native ONLY". ? because i many want to use the same app in both Web as well as Desktop application and maybe also through Mobile.


    Wednesday, May 8, 2019 4:40 AM