I am following the Microsoft documentation for aquiring an MSAL token by username and password.
For understanding how MSAL works I try something very simple: Aquiring a token using a username and password. Curly brackets ({}) in the below example represent IDs or credentials I have copied there.
authority_url = 'https://login.microsoftonline.com/{Tenant}’
app = msal.PublicClientApplication(
authority=authority_url
, client_id={client_id}'
, client_credential=None
)
app.acquire_token_by_username_password(
'{mail_of_windows_user}'
, ‘{password_of_windows_user}’
, scopes = ["User.Read"])
When I run the code I get an error with ID 7000218:
The request body must contain the following parameter: 'client_assertion' or 'client_secret'.
This error is unexpected because a PublicClientApplication
should work without a client secret. In the documentation for the parameter client_credential
, one can read:
For PublicClientApplication, you simply use None here.
Why do I need a client secret even though the documentation states I need none?
The error usually occurs if you missed enabling public-client flows option while generating token using username password flow, which is required to recognize app registration as public client application.
Initially, I too got same error when I ran below code to generate access token without enabling public-client flows option:
import msal
authority_url ='https://login.microsoftonline.com/{Tenant}’
app = msal.PublicClientApplication(
authority=authority_url,
client_id={client_id},
client_credential=None
)
result = app.acquire_token_by_username_password(
'{mail_of_windows_user}'
, '{password_of_windows_user}'
, scopes = ["User.Read"])
if "access_token" in result:
access_token = result["access_token"]
print(f"Access Token: {access_token}")
else:
print(result.get('error_description'))
Response:
To resolve the error, make sure to enable public-client flows option in your app registration like this:
When I ran code again after enabling public-client flows without passing client secret, I got access token successfully in response:
import msal
authority_url ='https://login.microsoftonline.com/{Tenant}’
app = msal.PublicClientApplication(
authority=authority_url,
client_id={client_id},
client_credential=None
)
result = app.acquire_token_by_username_password(
'{mail_of_windows_user}'
, '{password_of_windows_user}'
, scopes = ["User.Read"])
if "access_token" in result:
access_token = result["access_token"]
print(f"Access Token: {access_token}")
else:
print(result.get('error_description'))
Response:
You can decode the above token in jwt.ms and check whether the claims are valid or not like this:
Reference: Microsoft identity platform and OAuth 2.0 Resource Owner Password Credentials