You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Create a confidential client using application options (or without, based on my testing), and do not include a client secret, certificate or assertion.
In ClientCredentialWrapper the default enum value is ClientCertificate, so when no value is provided in creating the cca, the default AuthenticationType is ClientCertificate.
Later, in ClientCredentialHelper, when making the body parameters, we go the path of ClientCertificate and MSAL throws a null ref on line 80 when trying to sign something it doesn't have: clientCredential.CachedAssertion = jwtToken.Sign(clientCredential, sendX5C);
MS.Identity.Web had customers reporting a null ref when forgetting to set the client secret in the web app, MS.Identity.Web relies on MSAL for getting the cca tokens. We can successful create a cca without a value in the ClientSecret...later we try to do to .AcquireTokenByAuthorizationCode using the cca we made earlier and we get a null ref, which is actually coming from MSAL .NET (I did some hacking in your unit tests to figure this out).
I have a fix for us in Identity Web to make sure we send options without null or empty strings. Here's a fix to have a default enum value as none, to catch the case where the developer has created a cca, but doesn't passed in any AuthenticationTypes.
Another fix would be to ensure that one of the four AuthenticationType options are used for the cca. We check that not more than one are used, but not that at least one is used. I have not opened an issue for that, will let the team decide.
The text was updated successfully, but these errors were encountered:
Related to this issue in ms identity web
Repro:
Create a confidential client using application options (or without, based on my testing), and do not include a client secret, certificate or assertion.
In
ClientCredentialWrapper
the default enum value isClientCertificate
, so when no value is provided in creating the cca, the default AuthenticationType isClientCertificate
.Later, in
ClientCredentialHelper
, when making the body parameters, we go the path ofClientCertificate
and MSAL throws a null ref on line 80 when trying to sign something it doesn't have:clientCredential.CachedAssertion = jwtToken.Sign(clientCredential, sendX5C);
MS.Identity.Web had customers reporting a null ref when forgetting to set the client secret in the web app, MS.Identity.Web relies on MSAL for getting the cca tokens. We can successful create a cca without a value in the
ClientSecret
...later we try to do to.AcquireTokenByAuthorizationCode
using the cca we made earlier and we get a null ref, which is actually coming from MSAL .NET (I did some hacking in your unit tests to figure this out).I have a fix for us in Identity Web to make sure we send options without null or empty strings. Here's a fix to have a default enum value as none, to catch the case where the developer has created a cca, but doesn't passed in any AuthenticationTypes.
Another fix would be to ensure that one of the four AuthenticationType options are used for the cca. We check that not more than one are used, but not that at least one is used. I have not opened an issue for that, will let the team decide.
The text was updated successfully, but these errors were encountered: