GraphClient Business Account OnBehalfOfCredential authentication failed

Question

I wish you all a wonderfull day.

I'm using Graph Client on .Net Core to authenticate user and initialize graph client service to get user's calendar and profile informations with OnBehalfOfCredentials that contains idToken like:

var scopes = new[] { "User.Read", "Calendars.Read", "Calendars.ReadWrite" };
            var clientSecret = "clientSecret";
            accessToken = "idToken";
            var tenantId = "common";
            var clientId = "clientId";
            var onBehalfOfCredential = new OnBehalfOfCredential(tenantId, clientId, clientSecret, accessToken);
var graphClient = new GraphServiceClient(onBehalfOfCredential, scopes);

IdToken is a field of MSAL library using loginPopup result that is logged user to my application on azure with my angular project. I'm using idToken instead of accessToken because accessToken returns a not jwt formatted token for personal accounts. It starts with like "Ew..." due to i'm using idToken field of popup result. I can get personal account informations with idToken but i trying to get business or school account informations i'm getting a error from GraphClientService.

CODE:

var user = await graphClient.Me.GetAsync();

ERROR: OnBehalfOfCredential authentication failed: AADSTS240002: Input id_token cannot be used as 'urn:ietf:params:oauth:grant-type:jwt-bearer' grant. Trace ID: 10db8442-96cd-47ad-b8d9-3f52a4ee1000 Correlation ID: cd618d21-adc7-4dcb-82bc-9d7b122ca085 Timestamp: 2024-01-18 09:07:51Z"

When i use accessToken for business accounts instead of using idToken i'm getting a error as well.

ERROR: "OnBehalfOfCredential authentication failed: AADSTS50013: Assertion failed signature validation. [Reason - Key was found, but use of the key to verify the signature failed., Thumbprint of key used by client: 'E41DE7471B50EE38BC78D0DCDC5CB4E4A7FDED91', Found key 'Start=12/05/2023 17:16:57, End=12/05/2028 17:16:57', Please visit the Azure Portal, Graph Explorer or directly use MS Graph to see configured keys for app Id '00000000-0000-0000-0000-000000000000'. Review the documentation at https://docs.microsoft.com/en-us/graph/deployments to determine the corresponding service endpoint and https://docs.microsoft.com/en-us/graph/api/application-get?view=graph-rest-1.0&tabs=http to build a query request URL, such as 'https://graph.microsoft.com/beta/applications/00000000-0000-0000-0000-000000000000']. Trace ID: cf67284a-83ef-429e-bbe0-07cb617e1200 Correlation ID: ed9d2d77-30cb-4bba-9189-16e392a4c528 Timestamp: 2024-01-18 09:20:34Z"

Answer 1

I realize you may only want to pursue user-based access, but another alternative you could consider is an App-Only authentication workflow using a client secret:

https://learn.microsoft.com/en-us/graph/tutorials/dotnet-app-only?tabs=aad

Answer 2

ISSUE FIXED: I'm using idToken to initialize graph client by user for all account types. To fix that issue i've enabled access Access tokens (used for implicit flows) ID tokens (used for implicit and hybrid flows) checkboxes.

Supported Accounts should be: Accounts in any organizational directory (Any Microsoft Entra ID tenant - Multitenant) and personal Microsoft accounts (e.g. Skype, Xbox)

And on Angular side i'm using https://login.microsoftonline.com/common URL.

I didnt add any new scope to Expose an API section of portal.azure.com