I'm having some trouble calling the Graph API from a Blazor Server application. I've followed the example at https://docs.microsoft.com/en-us/azure/app-service/scenario-secure-app-access-microsoft-graph-as-user?tabs=azure-resource-explorer but I'm getting the following error when trying to login:

MsalClientException: One client credential type required either: ClientSecret, Certificate, ClientAssertion or AppTokenProvider must be defined when creating a Confidential Client

My code is as follows:

appsettings.json

{
  /*
The following identity settings need to be configured
before the project can be successfully executed.
For more info see https://aka.ms/dotnet-template-ms-identity-platform 
*/
  "AzureAd": {
    "Instance": "https://login.microsoftonline.com/",
    "Domain": "XXXXXXXXXXXXXXXXXXXXXXXXXX",
    "TenantId": "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX",
    "ClientId": "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX",
    "CallbackPath": "/signin-oidc"
  },
  "Graph": {
    "BaseUrl": "https://graph.microsoft.com/v1.0",
    "Scopes": "user.read"
  },
  "Logging": {
    "LogLevel": {
      "Default": "Information",
      "Microsoft.AspNetCore": "Warning"
    }
  },
  "AllowedHosts": "*",
}


program.cs

builder.Services.AddAuthentication(OpenIdConnectDefaults.AuthenticationScheme)
    .AddMicrosoftIdentityWebApp(builder.Configuration.GetSection("AzureAd"))
        .EnableTokenAcquisitionToCallDownstreamApi(new string[] { "user.read" })
        .AddMicrosoftGraph(builder.Configuration.GetSection("Graph"))
        .AddInMemoryTokenCaches();


SearchBase.cs

[AuthorizeForScopes(Scopes = new[] { "user.read" })]
public class SearchBase : ComponentBase
 {
     ...

     protected async override Task OnInitializedAsync()
     {
         try
         {
            _user = await _graphServiceClient.Me.Request().GetAsync();
         }
         catch (Exception ex)
         {
            _logger.LogDebug(ex.Message);
         }
     }

     ...
 }

The error fires when initially logging into the application. It looks to be getting triggered by the last three lines in the program.cs file:

        .EnableTokenAcquisitionToCallDownstreamApi(new string[] { "user.read" })
        .AddMicrosoftGraph(builder.Configuration.GetSection("Graph"))
        .AddInMemoryTokenCaches();

If I comment them out it logs me in via Azure AD as expected. That however leads to the Graph API call in the SearchBase.cs not working.

I'm very new to using Graph API, hopefully someone has come across this before. The examples I've found via Google return code that is pretty similar to my own so I'm at a loss as to what's going wrong.

Thanks for any help that can be offered.

Mark

CodePudding user response：

MsalClientException: One client credential type required either: ClientSecret, Certificate, ClientAssertion or AppTokenProvider must be defined when creating a Confidential Client

This error usually occurs if ClientSecret parameter is missing while calling Microsoft Graph API.

To resolve the error, you need to include the ClientSecret generated by your App Service in the appsettings.json file.

You can get the ClientSecret value like below:

Go to Azure Portal -> App Services -> Your App Service -> Authentication -> Identity Provider Settings -> Edit

Select "Click to edit secret value" like below:

Copy the value of your Client Secret like below:

Now, update your appsettings.json by including copied Client Secret like below:

"AzureAd": {
    "Instance": "https://login.microsoftonline.com/",
    "Domain": "XXXXXXXXXXXXXXXXXXXXXXXXXX",
    "TenantId": "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX",
    "ClientId": "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX",
    "ClientSecret": "XXXXXXXXXXXXXXX",
    "CallbackPath": "/signin-oidc"
  },
  "Graph": {
    "BaseUrl": "https://graph.microsoft.com/v1.0",
    "Scopes": "user.read"
  },