Microsoft.Identity.Web 3.6.1 Giving "AADSTS7000215: Invalid client secret provided..."

[Alfetta159]

Microsoft.Identity.Web Library

Microsoft.Identity.Web.DownstreamApi

Microsoft.Identity.Web version

3.6.1

Web app

Sign-in users and call web APIs

Web API

Protected web APIs call downstream web APIs

Token cache serialization

Distributed caches

Description

I have been using Microsoft.Identity.Web.DownstreamApi (up to 3.6.0) with little problem for some time, but suddenly upgrading to 3.6.1 gives me this problem:

{"error":"invalid_client",
"error_description":"AADSTS7000215: Invalid client secret provided. Ensure the secret being sent in the request is the client secret value, not the client secret ID, for a secret added to app '<my client id>'. Trace ID: xxxx Correlation ID: xxxxx Timestamp: 2025-01-22 22:17:41Z",
"error_codes":[7000215],
"timestamp":"2025-01-22 22:17:41Z",
"trace_id":"xxxxxx",
"correlation_id":"xxxxx",
"error_uri":"https://login.microsoftonline.com/error?code=7000215"
}

My AzureAD appsettings section looks like this:

  "AzureAd": {
    "Instance": "https://login.microsoftonline.com/",
    "TenantId": "mytenant",
    "ClientId": "my client id",
    "Domain": "my domain",
    "Scopes": [ "access_as_user" ],
    "ClientCredentials": [
      {
        "SourceType": "ClientSecret",
        "ClientSecret": "<my secret>"
      }
    ]
  },

My downstream configurations look like:

  "VastOfficeService": {
    "BaseUrl": "https://base.url/",
    "Scopes": [
      "api://<downstream api client id>/data.inventory.read"
    ]
  },

My gut feeling is that the schema of the JSON needed for this client secret has changed. I wouldn't be that surprised if this were a major or even minor update, but it's just a patch (?).
My secret is not out of date.
I've tried updating it anyway
The problem seems to be in the version or that I'm not aware of any changes needed to accommodate this very minor version.

Reproduction steps

Update nuget packages for Microsoft.Identity.Web.XXX versions to 3.6.1

Error message

MsalServiceException:

Message: A configuration issue is preventing authentication - check the error message from the server for details. You can modify the configuration in the application registration portal. See https://aka.ms/msal-net-invalid-client for details. Original exception: AADSTS7000215: Invalid client secret provided. Ensure the secret being sent in the request is the client secret value, not the client secret ID, for a secret added to app 'xxxxx'. Trace ID: xxx Correlation ID: xxx Timestamp: 2025-01-22 22:17:41Z
Response Body:

{"error":"invalid_client",
"error_description":"AADSTS7000215: Invalid client secret provided. Ensure the secret being sent in the request is the client secret value, not the client secret ID, for a secret added to app 'xxxxx'. Trace ID: xxxx Correlation ID: 47bb47ec-c793-4478-9ed9-949cd29ea407 Timestamp: 2025-01-22 22:17:41Z",
"error_codes":[7000215],
"timestamp":"2025-01-22 22:17:41Z",
"trace_id":"7fd05783-dfb9-47e6-b39e-f417c34a1400",
"correlation_id":"47bb47ec-c793-4478-9ed9-949cd29ea407",
"error_uri":"https://login.microsoftonline.com/error?code=7000215"
}

Stack trace (excluding my code)

   at Microsoft.Identity.Client.Internal.Requests.RequestBase.<HandleTokenRefreshErrorAsync>d__32.MoveNext()
   at Microsoft.Identity.Client.Internal.Requests.OnBehalfOfRequest.<ExecuteAsync>d__3.MoveNext()
   at Microsoft.Identity.Client.Internal.Requests.RequestBase.<>c__DisplayClass11_1.<<RunAsync>b__1>d.MoveNext()
   at Microsoft.Identity.Client.Utils.StopwatchService.<MeasureCodeBlockAsync>d__4.MoveNext()
   at Microsoft.Identity.Client.Internal.Requests.RequestBase.<RunAsync>d__11.MoveNext()
   at Microsoft.Identity.Client.ApiConfig.Executors.ConfidentialClientExecutor.<ExecuteAsync>d__4.MoveNext()
   at Microsoft.Identity.Web.TokenAcquisition.<GetAuthenticationResultForWebApiToCallDownstreamApiAsync>d__28.MoveNext()
   at System.Threading.Tasks.ValueTask`1.get_Result()
   at Microsoft.Identity.Web.TokenAcquisition.<GetAuthenticationResultForUserAsync>d__16.MoveNext()
   at Microsoft.Identity.Web.DefaultAuthorizationHeaderProvider.<CreateAuthorizationHeaderAsync>d__4.MoveNext()
   at Microsoft.Identity.Web.DownstreamApi.<UpdateRequestAsync>d__27.MoveNext()
   at Microsoft.Identity.Web.DownstreamApi.<CallApiInternalAsync>d__26.MoveNext()
   at Microsoft.Identity.Web.DownstreamApi.<CallApiForUserAsync>d__13`1.MoveNext()

Id Web logs

No response

Relevant code snippets

services
    .AddMemoryCache()
    .AddAuthentication(JwtBearerDefaults.AuthenticationScheme)
    .AddMicrosoftIdentityWebApi(configuration)
    .EnableTokenAcquisitionToCallDownstreamApi()
    .AddDistributedTokenCaches()
    .AddDownstreamApi("VastOfficeService", configuration.GetSection("VastOfficeService"))

My downstream configurations look like:

  "VastOfficeService": {
    "BaseUrl": "https://base.url/",
    "Scopes": [
      "api://<downstream api client id>/data.inventory.read"
    ]
  },

My AzureAD appsettings section looks like this:

  "AzureAd": {
    "Instance": "https://login.microsoftonline.com/",
    "TenantId": "mytenant",
    "ClientId": "my client id",
    "Domain": "my domain",
    "Scopes": [ "access_as_user" ],
    "ClientCredentials": [
      {
        "SourceType": "ClientSecret",
        "ClientSecret": "<my secret>"
      }
    ]
  },

Regression

3.6.0

Expected behavior

No exception or at least some idea in the exception message of what should be fixed.

[msbw2]

This is a regression in the abstractions library: AzureAD/microsoft-identity-abstractions-for-dotnet@1f352bd

Most likely the app is now sending *** as the client secret.

[jennyf19]

@Alfetta159 this is fixed in 3.6.2. Thanks for reporting so quickly.