ServerError: invalid_client (authentication error)

[lhdeveloper]

Priority

(Urgent) I can't use the CLI

Description

Earlier today I realized that my pipelines started giving errors when trying to authenticate in my sharepoint environments.
Until last night everything was working perfectly.

Can anyone tell me if there has been an update to the CLI or if we are experiencing any possible instability in the m365 login?

Here's the error log:

2024-05-08T19:06:08.7662523Z Executing command login with options {"options":{"authType":"certificate","certificateFile":"/home/vsts/work/_temp/deploy.hywork.pfx","password":"GrupoX2024","appId":"5f0462ae-5630-48d0-9841-b417d9050367","tenant":"237323e9-f483-4bf2-a3a7-35a6317c443a","debug":true,"verbose":true,"output":"json"}}
2024-05-08T19:06:08.7663644Z - Running command...
2024-05-08T19:06:08.7755218Z Logging out from Microsoft 365...
2024-05-08T19:06:08.7761471Z Signing in to Microsoft 365...
2024-05-08T19:06:08.7765829Z No token found for resource https://graph.microsoft.com.
2024-05-08T19:06:08.8216772Z Retrieving new access token using certificate...
2024-05-08T19:06:08.9970147Z pkcs8ShroudedKeyBagkeyBags length is 1
2024-05-08T19:06:08.9970779Z keyBag length is 0
2024-05-08T19:06:09.0865477Z [Wed, 08 May 2024 19:06:09 GMT] : [] : @azure/msal-node@2.8.0 : Info - acquireTokenByClientCredential called
2024-05-08T19:06:09.0875298Z [Wed, 08 May 2024 19:06:09 GMT] : [] : @azure/msal-node@2.8.0 : Verbose - initializeRequestScopes called
2024-05-08T19:06:09.0910103Z [Wed, 08 May 2024 19:06:09 GMT] : [1569bd6c-9fe2-4170-b278-a6e45dfb6079] : @azure/msal-node@2.8.0 : Verbose - buildOauthClientConfiguration called
2024-05-08T19:06:09.0911110Z [Wed, 08 May 2024 19:06:09 GMT] : [1569bd6c-9fe2-4170-b278-a6e45dfb6079] : @azure/msal-node@2.8.0 : Verbose - createAuthority called
2024-05-08T19:06:09.0924924Z [Wed, 08 May 2024 19:06:09 GMT] : [] : @azure/msal-node@2.8.0 : Verbose - Attempting to get cloud discovery metadata  from authority configuration
2024-05-08T19:06:09.0928016Z [Wed, 08 May 2024 19:06:09 GMT] : [] : @azure/msal-node@2.8.0 : Verbose - Did not find cloud discovery metadata in the config... Attempting to get cloud discovery metadata from the hardcoded values.
2024-05-08T19:06:09.0930976Z [Wed, 08 May 2024 19:06:09 GMT] : [] : @azure/msal-node@2.8.0 : Verbose - Found cloud discovery metadata from hardcoded values.
2024-05-08T19:06:09.0934210Z [Wed, 08 May 2024 19:06:09 GMT] : [] : @azure/msal-node@2.8.0 : Verbose - Attempting to get endpoint metadata from authority configuration
2024-05-08T19:06:09.0937195Z [Wed, 08 May 2024 19:06:09 GMT] : [] : @azure/msal-node@2.8.0 : Verbose - Did not find endpoint metadata in the config... Attempting to get endpoint metadata from the hardcoded values.
2024-05-08T19:06:09.0946280Z [Wed, 08 May 2024 19:06:09 GMT] : [] : @azure/msal-node@2.8.0 : Verbose - Replacing tenant domain name 237323e9-f483-4bf2-a3a7-35a6317c443a with id {tenantid}
2024-05-08T19:06:09.0948497Z [Wed, 08 May 2024 19:06:09 GMT] : [1569bd6c-9fe2-4170-b278-a6e45dfb6079] : @azure/msal-node@2.8.0 : Info - Building oauth client configuration with the following authority: https://login.microsoftonline.com/237323e9-f483-4bf2-a3a7-35a6317c443a/oauth2/v2.0/token.
2024-05-08T19:06:09.0954260Z [Wed, 08 May 2024 19:06:09 GMT] : [1569bd6c-9fe2-4170-b278-a6e45dfb6079] : @azure/msal-node@2.8.0 : Verbose - Client credential client created
2024-05-08T19:06:09.0969337Z [Wed, 08 May 2024 19:06:09 GMT] : [] : @azure/msal-node@2.8.0 : Verbose - Replacing tenant domain name 237323e9-f483-4bf2-a3a7-35a6317c443a with id {tenantid}
2024-05-08T19:06:09.0980695Z [Wed, 08 May 2024 19:06:09 GMT] : [] : @azure/msal-node@2.8.0 : Verbose - Replacing tenant domain name 237323e9-f483-4bf2-a3a7-35a6317c443a with id {tenantid}
2024-05-08T19:06:09.0983106Z [Wed, 08 May 2024 19:06:09 GMT] : [1569bd6c-9fe2-4170-b278-a6e45dfb6079] : @azure/msal-common@14.10.0 : Info - Sending token request to endpoint: https://login.microsoftonline.com/237323e9-f483-4bf2-a3a7-35a6317c443a/oauth2/v2.0/token
2024-05-08T19:06:09.2124678Z Error:
2024-05-08T19:06:09.2166134Z ServerError: invalid_client: 7000216 - [2024-05-08 19:06:09Z]: AADSTS7000216: 'client_assertion', 'client_secret' or 'request' is required for the 'client_credentials' grant type. Trace ID: c480ab7a-e2a5-4913-899d-95ee92001301 Correlation ID: b125c336-9e1a-4744-a3b0-3a0c1ef3c89b Timestamp: 2024-05-08 19:06:09Z - Correlation ID: b125c336-9e1a-4744-a3b0-3a0c1ef3c89b - Trace ID: c480ab7a-e2a5-4913-899d-95ee92001301
2024-05-08T19:06:09.2167548Z     at ResponseHandler.validateTokenResponse (file:///opt/hostedtoolcache/node/18.17.1/x64/lib/node_modules/@pnp/cli-microsoft365/node_modules/@azure/msal-common/dist/response/ResponseHandler.mjs:99:33)
2024-05-08T19:06:09.2168639Z     at ClientCredentialClient.executeTokenRequest (file:///opt/hostedtoolcache/node/18.17.1/x64/lib/node_modules/@pnp/cli-microsoft365/node_modules/@azure/msal-node/dist/client/ClientCredentialClient.mjs:159:25)
2024-05-08T19:06:09.2169355Z     at process.processTicksAndRejections (node:internal/process/task_queues:95:5)
2024-05-08T19:06:09.2170944Z     at async ConfidentialClientApplication.acquireTokenByClientCredential (file:///opt/hostedtoolcache/node/18.17.1/x64/lib/node_modules/@pnp/cli-microsoft365/node_modules/@azure/msal-node/dist/client/ConfidentialClientApplication.mjs:98:20)
2024-05-08T19:06:09.2171823Z     at async Auth.ensureAccessToken (file:///opt/hostedtoolcache/node/18.17.1/x64/lib/node_modules/@pnp/cli-microsoft365/dist/Auth.js:193:26)
2024-05-08T19:06:09.2172635Z     at async login (file:///opt/hostedtoolcache/node/18.17.1/x64/lib/node_modules/@pnp/cli-microsoft365/dist/m365/commands/login.js:74:17)
2024-05-08T19:06:09.2173945Z     at async LoginCommand.commandAction (file:///opt/hostedtoolcache/node/18.17.1/x64/lib/node_modules/@pnp/cli-microsoft365/dist/m365/commands/login.js:92:9)
2024-05-08T19:06:09.2174764Z     at async LoginCommand.action (file:///opt/hostedtoolcache/node/18.17.1/x64/lib/node_modules/@pnp/cli-microsoft365/dist/m365/commands/login.js:102:9)
2024-05-08T19:06:09.2175853Z     at async Object.executeCommand (file:///opt/hostedtoolcache/node/18.17.1/x64/lib/node_modules/@pnp/cli-microsoft365/dist/cli/cli.js:201:9)
2024-05-08T19:06:09.2176548Z     at async Object.execute (file:///opt/hostedtoolcache/node/18.17.1/x64/lib/node_modules/@pnp/cli-microsoft365/dist/cli/cli.js:144:9) {
2024-05-08T19:06:09.2177063Z   errorCode: 'invalid_client',
2024-05-08T19:06:09.2178387Z   errorMessage: "7000216 - [2024-05-08 19:06:09Z]: AADSTS7000216: 'client_assertion', 'client_secret' or 'request' is required for the 'client_credentials' grant type. Trace ID: c480ab7a-e2a5-4913-899d-95ee92001301 Correlation ID: b125c336-9e1a-4744-a3b0-3a0c1ef3c89b Timestamp: 2024-05-08 19:06:09Z - Correlation ID: b125c336-9e1a-4744-a3b0-3a0c1ef3c89b - Trace ID: c480ab7a-e2a5-4913-899d-95ee92001301",
2024-05-08T19:06:09.2180557Z   subError: '',
2024-05-08T19:06:09.2180754Z   errorNo: 7000216,
2024-05-08T19:06:09.2181704Z   correlationId: '1569bd6c-9fe2-4170-b278-a6e45dfb6079'
2024-05-08T19:06:09.2181894Z }
2024-05-08T19:06:09.2181945Z 
2024-05-08T19:06:09.2181993Z 
2024-05-08T19:06:09.2182122Z Timings:
2024-05-08T19:06:09.2188351Z api: 0ms
2024-05-08T19:06:09.2188854Z core: 9.591497ms
2024-05-08T19:06:09.2189030Z command: 450.646538ms
2024-05-08T19:06:09.2189210Z options: 0.177906ms
2024-05-08T19:06:09.2189363Z total: 461.893186ms
2024-05-08T19:06:09.2189530Z validation: 0.773824ms
2024-05-08T19:06:09.2190672Z [31mError: invalid_client: 7000216 - [2024-05-08 19:06:09Z]: AADSTS7000216: 'client_assertion', 'client_secret' or 'request' is required for the 'client_credentials' grant type. Trace ID: c480ab7a-e2a5-4913-899d-95ee92001301 Correlation ID: b125c336-9e1a-4744-a3b0-3a0c1ef3c89b Timestamp: 2024-05-08 19:06:09Z - Correlation ID: b125c336-9e1a-4744-a3b0-3a0c1ef3c89b - Trace ID: c480ab7a-e2a5-4913-899d-95ee92001301[39m
2024-05-08T19:06:09.7319981Z - Running command...
2024-05-08T19:06:09.7441168Z [31mError: Log in to Microsoft 365 first[39m
2024-05-08T19:06:10.2880682Z - Running command...
2024-05-08T19:06:10.2995428Z [31mError: Log in to Microsoft 365 first[39m
2024-05-08T19:06:10.8400189Z - Running command...
2024-05-08T19:06:10.8508253Z [31mError: Log in to Microsoft 365 first[39m

Steps to reproduce

m365 login --authType certificate --certificateFile "$(certificateFile.secureFilePath)" --password "$(CertificatePassword)" --appId "$(RegisterAppID)" --tenant "$(TenantID)" --debug --verbose
m365 spo set --url "$(SharePointBaseUrl)"
m365 spo app add -p $(System.DefaultWorkingDirectory)/_Deploy-Lab-Dev/drop/sharepoint/solution/hywork-lab.sppkg --overwrite --verbose
m365 spo app deploy --id $(appId) --verbose

Expected results

Login sucess.

Actual results

Login error

Diagnostics

No response

CLI for Microsoft 365 version

lasted version

nodejs version

18.17.1

Operating system (environment)

macOS

Shell

PowerShell

cli doctor

No response

Additional Info

No response

[xinzhaozhang]

I got exactly the same error. I think there is something wrong with --authType certificate. I have to use an earlier version of the M365 cli until this is fixed

[lhdeveloper]

@xinzhaozhang I put @7.7.0 as the fixed version and apparently it worked again. it must be something to do with authType.
Now let's wait for them to solve it.

Tkx!

[milanholemans]

Thank you for reporting this issue. This has probably something to do with upgrading MSAL package versions in the last release.
We'll look into it.

[milanholemans]

Created a PR with the fix for this issue. Thank you for bringing this to the surface! We will handle this issue with the necessary urgency.

[Adam-it]

@lhdeveloper we've just done a patch release that should solve this issue.
If possible, please double-check with the latest CLI for Microsoft 365 version (v7.8.1) and let us know if it now works.
Cheers.

BTW thanks @milanholemans for your ASAP action on this issue. You Rock 🤩

[milanholemans]

BTW thanks @milanholemans for your ASAP action on this issue. You Rock 🤩

Thank you to everyone for reporting this problem!

[lhdeveloper]

@Adam-it @milanholemans
ok friends, thanks for solving it.
I'll test it tomorrow and get back to you.
regards