[BUG] Microsoft.Azure.Services.AppAuthentication.AzureServiceTokenProviderException: Exception Message: Access token could not be acquired. AADSTS7000215: Invalid client secret is provided.

[MarneeDear]

Describe the bug
I get this error when I try to get an access token using AzureServiceTokenProvider.

Microsoft.Azure.Services.AppAuthentication.AzureServiceTokenProviderException: Parameters: Connection String: RunAs=App;AppId=f2d6blahhhh;TenantId=d46cb6blah4f;AppKey=<<Redacted>>, Resource: https://atlas.microsoft.com/, Authority: https://login.microsoftonline.com/d46cb6e0-0c01-41df-b208-ba9770d8cf4f. Exception Message: Access token could not be acquired. AADSTS7000215: Invalid client secret is provided.

I am using the Azure Maps AD Samples found here:
https://github.com/Azure-Samples/Azure-Maps-AzureAD-Samples/tree/master/src/ClientGrant/AzureMapsWebApiToken

I followed the directions to setup an AD App registration and give it access to the Maps. I created a client secret for this app registration and then an environment variable to store the connection string.

RunAs=App;AppId=guid;TenantId=guid;AppKey=hwblahblahfishcakes

I have verified that the AppId, TenantId, and AppKey are correct. The AppKey is the same as the Client Secret I created in the app registration.

This was working yesterday, but today I am getting an error. I haven't changed any of the code.

The code looks like this:

[Route("api/[controller]")]
    [ApiController]
    public class TokenController : ControllerBase
    {        
        private static readonly AzureServiceTokenProvider tokenProvider = new AzureServiceTokenProvider();

        [HttpGet]
        [Route("")]
        public async Task<IActionResult> GetTokenAsync()
        {            
            string accessToken = await tokenProvider.GetAccessTokenAsync("https://atlas.microsoft.com/", cancellationToken: HttpContext.RequestAborted);
            
            return Ok(accessToken);
        }
    }

Expected behavior
I get an access token when calling GetAccessTokenAsync

Actual behavior (include Exception or Stack Trace)

Microsoft.Azure.Services.AppAuthentication.AzureServiceTokenProviderException: Parameters: Connection String: RunAs=App;AppId=f2d6blahhhh;TenantId=d46cb6blah4f;AppKey=<<Redacted>>, Resource: https://atlas.microsoft.com/, Authority: https://login.microsoftonline.com/d46cb6e0-0c01-41df-b208-ba9770d8cf4f. Exception Message: Access token could not be acquired. AADSTS7000215: Invalid client secret is provided.

To Reproduce
Steps to reproduce the behavior (include a code snippet, screenshot, or any additional information that might help us reproduce the issue)

1. Create an app registration and a client secret
2. Give it user_impersonation access to Maps
3. Create the connection string and add it to the environment variables
4. Run the Azure Maps sample linked above
5. Get error

Environment:

• Microsoft.Azure.Services.AppAuthentication 1.4

• $ dotnet --info
  .NET Core SDK (reflecting any global.json):
  Version: 3.1.201
  Commit: b1768b4ae7

Runtime Environment:
OS Name: Windows
OS Version: 10.0.18363
OS Platform: Windows
RID: win10-x64
Base Path: C:\Program Files\dotnet\sdk\3.1.201\

[jongio]

@stack111 @rbrundritt - Can you please have a look?

[rbrundritt]

I'll defer to stack111 as he is our Azure AD expert.

[stack111]

Typically with the AAD error code: AADSTS7000215: Invalid client secret is provided.
There is something wrong with the client secret in the connection string.

If you confirm with a new secret from the Azure Portal it might help narrow down the problem.

There are some details regarding environment variables which could potentially be unexpected behavior with developing in IDEs. If you are developing on Windows, I would recommend adding to the system environment variables. This will persist the variable beyond application shutdown and restart.

To eliminate possibility of environment variable confusion. You could also construct the object
new AzureServiceTokenProvider(connectionString: "my connection string") with the connection string provided in the constructor to confirm there is nothing wrong with the client secret.

[MarneeDear]

Thanks @stack111 .

When I use the connectionString explicitly in new AzureServiceTokenProvider it works. I get my auth token. I copied the connection string out of my system environment variable called AzureServicesAuthConnectionString and pasted it directly into my code like this.

private static readonly AzureServiceTokenProvider tokenProvider = new AzureServiceTokenProvider(connectionString: "RunAs=App;AppId=REDACTED;TenantId=REDACTED;AppKey=REDACTED");

It looks like my connection string and client secret (AppKey) are correct and working. It just doesn't work if I let AzureServiceTokenProvider get it out of the environment variable like this

private static readonly AzureServiceTokenProvider tokenProvider = new AzureServiceTokenProvider();

The error message redacts the client secret but the other fields look correct.

Microsoft.Azure.Services.AppAuthentication.AzureServiceTokenProviderException: Parameters: Connection String: RunAs=App;AppId=REDACTED;TenantId=REDACTED;AppKey=<<Redacted>>, Resource: https://atlas.microsoft.com/, Authority: https://login.microsoftonline.com/d46cb6e0-0c01-41df-b208-ba9770d8cf4f. Exception Message: Access token could not be acquired. AADSTS7000215: Invalid client secret is provided.

I am pretty sure I setup the environment variable correctly as the error message does show the expected TenantId and AppId.

It looks like this:

[stack111]

@jongio - the issue looks to be specific to the environment variable implementation. Can we triage the issue to a developer on the Microsoft.Azure.Services.AppAuthentication SDK?

@MarneeDear - my experience when using Microsoft.Azure.Services.AppAuthentication with environment variables suggests that the application / processes might not have retrieved the variable. I would suggest closing all instances of IDEs (Visual Studio, DotNet consoles, VS Code) - The instance value of an environment variable only changes on the start of the hosting process (it is not a dynamic runtime configuration).

Someone who works on the SDK would be a better help to troubleshoot why the SDK is not retrieving the value. However if you are blocked, you can use other authentication libraries to Azure AD. Any Azure AD SDK will work to call Azure Maps, each have purposes which may or may not meet your needs.

Check out:

1. https://www.nuget.org/packages/Microsoft.Identity.Client/
2. https://www.nuget.org/packages/Microsoft.IdentityModel.Clients.ActiveDirectory/
3. Or even in this repo: https://github.com/Azure/azure-sdk-for-net/tree/master/sdk/identity/Azure.Identity

[jongio]

I'll go through and update the README, but here's how I got it working with Azure.Identity

You'll need the Azure CLI (https://aka.ms/azcliget) and VS Code.

Clone Repo

1. Clone my fork
   git clone https://github.com/jongio/Azure-Maps-AzureAD-Samples

This will get you the bits that work with Azure.Identity

Service Principal

1. Create a Service Principal
   az ad sp create-for-rbac
2. Assign role to SP
   az role assignment create --assignee 3db3ad97-06be-4c28-aa96-f1bac93aeed3 --role "Azure Maps Data Reader"

assignee is the client id from the SP you created in step 1

Set Env Vars

1. Open project in VS Code (I didn't try in VS)
2. Open .vscode/launch.json
3. Set the following variables from step 1

"AZURE_CLIENT_ID": "",
"AZURE_CLIENT_SECRET": "",
"AZURE_TENANT_ID": ""

Set Client Id

1. Open /Views/Home/Maps.cshtml
2. Change clientId to the Azure Maps Client Id (see root README for instructions)

Run it

1. Run dotnet run from the ternimal
2. Go to https://localhost:5001/home/maps

If you get an SSL error try the HTTP instead, or run dotnet dev-certs https --trust to install a local dev cert.

[jongio]

@MarneeDear - Did that work for you?

[ghost]

Hi, we're sending this friendly reminder because we haven't heard back from you in a while. We need more information about this issue to help address it. Please be sure to give us your input within the next 7 days. If we don't hear back from you within 14 days of this comment the issue will be automatically closed. Thank you!

[jongio]

@MarneeDear - Going to close this for now to clean up issues, but let me know if my workaround worked for you.