[Bug] AuthorizationCode redemption not creating client_assertion

[mrochon]

Library version used

9.0.0

.NET version

9

Scenario

ConfidentialClient - web site (AcquireTokenByAuthCode)

Is this a new or an existing app?

This is a new app or experiment

Issue description and reproduction steps

My web app is configured with a certificate rather than symmetric secret in appSettings.json. However, after receiving the authorization ocde, the middleware is not including a client_assertion parameter using that certificate. Entra responds with an error message saying that either a symmetric secret or client assertion needs to be included.

`Microsoft.IdentityModel.LoggingExtensions.IdentityLoggerAdapter: Debug: IDX21811: Deserializing the string: '[PII of type 'System.String' is hidden. For more details, see https://aka.ms/IdentityModel/PII.]' obtained from metadata endpoint into openIdConnectConfiguration object.
'iisexpress.exe' (CoreCLR: clrhost): Loaded 'C:\Program Files\dotnet\shared\Microsoft.NETCore.App\9.0.0\System.Collections.Immutable.dll'. Skipped loading symbols. Module is optimized and the debugger option 'Just My Code' is enabled.
Microsoft.IdentityModel.LoggingExtensions.IdentityLoggerAdapter: Debug: IDX21812: Retrieving json web keys from: '[PII of type 'System.String' is hidden. For more details, see https://aka.ms/IdentityModel/PII.]'.
Microsoft.IdentityModel.LoggingExtensions.IdentityLoggerAdapter: Debug: IDX20805: Obtaining information from metadata endpoint: 'https://login.microsoftonline.com/1165490c-89b5-463b-b203-8b77e01597d2/discovery/v2.0/keys'.
Microsoft.IdentityModel.LoggingExtensions.IdentityLoggerAdapter: Debug: IDX21813: Deserializing json web keys: '[PII of type 'System.String' is hidden. For more details, see https://aka.ms/IdentityModel/PII.]'.
Microsoft.IdentityModel.LoggingExtensions.IdentityLoggerAdapter: Debug: IDX10806: Deserializing json: '[PII of type 'System.String' is hidden. For more details, see https://aka.ms/IdentityModel/PII.]' into 'Microsoft.IdentityModel.Tokens.JsonWebKeySet'.
Microsoft.IdentityModel.LoggingExtensions.IdentityLoggerAdapter: Debug: IDX21328: Generating nonce for openIdConnect message.
'iisexpress.exe' (CoreCLR: clrhost): Loaded 'C:\Program Files\dotnet\shared\Microsoft.NETCore.App\9.0.0\System.Text.RegularExpressions.dll'. Skipped loading symbols. Module is optimized and the debugger option 'Just My Code' is enabled.
Microsoft.IdentityModel.LoggingExtensions.IdentityLoggerAdapter: Debug: IDX21342: 'RequireStateValidation' = false, not validating the state.
Microsoft.AspNetCore.Authentication.OpenIdConnect.OpenIdConnectHandler: Error: Message contains error: 'invalid_client', error_description: 'AADSTS7000218: The request body must contain the following parameter: 'client_assertion' or 'client_secret'. Trace ID: fb8c18a1-ca00-44e5-a1fc-2cd09de06a00 Correlation ID: b442a52e-7646-4009-a992-335b9703c6b2 Timestamp: 2024-11-26 22:16:19Z', error_uri: 'https://login.microsoftonline.com/error?code=7000218', status code '401'.
'iisexpress.exe' (CoreCLR: clrhost): Loaded 'C:\Program Files\dotnet\shared\Microsoft.NETCore.App\9.0.0\System.Diagnostics.StackTrace.dll'. Skipped loading symbols. Module is optimized and the debugger option 'Just My Code' is enabled.
'iisexpress.exe' (CoreCLR: clrhost): Loaded 'C:\Program Files\dotnet\shared\Microsoft.NETCore.App\9.0.0\System.Reflection.Metadata.dll'. Skipped loading symbols. Module is optimized and the debugger option 'Just My Code' is enabled.
Microsoft.AspNetCore.Authentication.OpenIdConnect.OpenIdConnectHandler: Error: Exception occurred while processing message.

Microsoft.IdentityModel.Protocols.OpenIdConnect.OpenIdConnectProtocolException: Message contains error: 'invalid_client', error_description: 'AADSTS7000218: The request body must contain the following parameter: 'client_assertion' or 'client_secret'. Trace ID: fb8c18a1-ca00-44e5-a1fc-2cd09de06a00 Correlation ID: b442a52e-7646-4009-a992-335b9703c6b2 Timestamp: 2024-11-26 22:16:19Z', error_uri: 'https://login.microsoftonline.com/error?code=7000218'.
at Microsoft.AspNetCore.Authentication.OpenIdConnect.OpenIdConnectHandler.RedeemAuthorizationCodeAsync(OpenIdConnectMessage tokenEndpointRequest)
at Microsoft.AspNetCore.Authentication.OpenIdConnect.OpenIdConnectHandler.HandleRemoteAuthenticateAsync()
Microsoft.AspNetCore.Diagnostics.DeveloperExceptionPageMiddleware: Error: An unhandled exception has occurred while executing the request.

Microsoft.AspNetCore.Authentication.AuthenticationFailureException: An error was encountered while handling the remote login.
---> Microsoft.IdentityModel.Protocols.OpenIdConnect.OpenIdConnectProtocolException: Message contains error: 'invalid_client', error_description: 'AADSTS7000218: The request body must contain the following parameter: 'client_assertion' or 'client_secret'. Trace ID: fb8c18a1-ca00-44e5-a1fc-2cd09de06a00 Correlation ID: b442a52e-7646-4009-a992-335b9703c6b2 Timestamp: 2024-11-26 22:16:19Z', error_uri: 'https://login.microsoftonline.com/error?code=7000218'.
at Microsoft.AspNetCore.Authentication.OpenIdConnect.OpenIdConnectHandler.RedeemAuthorizationCodeAsync(OpenIdConnectMessage tokenEndpointRequest)
at Microsoft.AspNetCore.Authentication.OpenIdConnect.OpenIdConnectHandler.HandleRemoteAuthenticateAsync()
--- End of inner exception stack trace ---
at Microsoft.AspNetCore.Authentication.RemoteAuthenticationHandler1.HandleRequestAsync() at Microsoft.AspNetCore.Authentication.AuthenticationMiddleware.Invoke(HttpContext context) at Microsoft.AspNetCore.Diagnostics.DeveloperExceptionPageMiddlewareImpl.Invoke(HttpContext context)
`

Relevant code snippets

"AzureAd": {
    "Instance": "https://login.microsoftonline.com/",
    "Domain": "meraridom2.com",
    "TenantId": "1165490c-89b5-463b-b203-8b77e01597d2",
    "ClientId": "8cb9ed19-ffe3-4fdc-95bb-a3d4f126b6fa",
    "CallbackPath": "/signin-oidc",
    "ResponseType": "code",
    "ClientCertificates": [
      {
        "SourceType": "StoreWithThumbprint",
        "CertificateStorePath": "CurrentUser/My",
        "CertificateThumbprint": "34bff633b846301b48b1f8fcd48b7e8c18a5f446"
      }
    ]
  },

Expected behavior

Successful redemption of the authorization code.

Identity provider

Microsoft Entra ID (Work and School accounts and Personal Microsoft accounts)

Regression

No response

Solution and workarounds

None

[bgavrilMS]

Probably an error loading the certificate. But the error message you are getting is not helpful.

Could you please get verbose logs?

[bgavrilMS]

Ah, I just saw that you opened this bug in MSAL. Can you please log this bug in Identity.Web - https://github.com/AzureAD/microsoft-identity-web/

Please note that while GH allows bug transfers between repos, in our experiences it messes up reporting, tracking etc. Better to re-create it there.