|
| 1 | +--- |
| 2 | +title: Invalid Client Error AADSTS7000218 When Authenticating to Microsoft Entra ID |
| 3 | +description: Provides a solution to the AADSTS7000218 error when a confidential client application authenticates to Microsoft Entra ID. |
| 4 | +ms.date: 04/30/2025 |
| 5 | +ms.reviewer: bachoang, v-weizhu |
| 6 | +ms.service: entra-id |
| 7 | +ms.custom: sap:Developing or Registering apps with Microsoft identity platform |
| 8 | +--- |
| 9 | + |
| 10 | +# Error AADSTS7000218 when a confidential client application authenticates to Microsoft Entra ID |
| 11 | + |
| 12 | +This article provides a solution to the AADSTS7000218 error that occurs when a confidential client application authenticates to Microsoft Entra ID. |
| 13 | + |
| 14 | +## Symptoms |
| 15 | + |
| 16 | +When a confidential client application authenticates to Microsoft Entra ID to get an access token, the following error message is displayed: |
| 17 | + |
| 18 | +```output |
| 19 | +{ |
| 20 | + "error": "invalid_client", |
| 21 | + "error_description": "AADSTS7000218: The request body must contain the following parameter: 'client_assertion' or 'client_secret'.\r\nTrace ID: xxx\r\nCorrelation ID: xxx\r\nTimestamp: 2019-08-18 20:38:28Z", |
| 22 | + "error_codes": [7000218], |
| 23 | + ... |
| 24 | +} |
| 25 | +``` |
| 26 | + |
| 27 | +## Cause |
| 28 | + |
| 29 | +This issue occurs because the application doesn't provide the credentials (client secret or assertion) that the token endpoint expects. A confidential client must provide its credentials when authenticating to Microsoft Entra ID. |
| 30 | + |
| 31 | +## Resolution |
| 32 | + |
| 33 | +To resolve this issue, include the client secret or assertion in the token request. |
| 34 | + |
| 35 | +In some authentication flow scenarios, such as the [OAuth 2 Resource Owner Password Credentials (ROPC)](/entra/identity-platform/v2-oauth-ropc) grant flow or [OAuth 2 device authorization grant flow](/entra/identity-platform/v2-oauth2-device-code), where you don't expect the client application to be confidential, allow public client flows in the **App registrations**: |
| 36 | + |
| 37 | +1. In the [Azure portal](https://portal.azure.com/), in **App registrations**, select your application, and then select **Authentication**. |
| 38 | +2. Select **Advanced settings** > **Allow public client flows**. |
| 39 | +3. For **Enable the following mobile and desktop flows**, select **Yes**. |
| 40 | + |
| 41 | + :::image type="content" source="media/confidential-client-application-authentication-error-aadsts7000218/allow-public-client-flows.png" alt-text="Screenshot that shows the 'Enable the following mobile and desktop flows' option." lightbox="media/confidential-client-application-authentication-error-aadsts7000218/allow-public-client-flows.png"::: |
| 42 | + |
| 43 | +Changing the default client type from confidential to public causes security implications. For more information, see [What's the security implication of changing the default client type from confidential to public in Azure AD?](https://blogs.aaddevsup.xyz/2020/09/whats-the-security-implication-of-changing-the-default-client-type-from-confidential-to-public-in-azure-ad/) |
| 44 | + |
| 45 | +## Understand client types in Microsoft Entra ID |
| 46 | + |
| 47 | +As defined in the [OAuth 2.0 specification](https://tools.ietf.org/html/rfc6749), client applications are categorized into two types: |
| 48 | + |
| 49 | +- Confidential client: A client that can securely store a secret used to authenticate to Microsoft Entra ID. |
| 50 | + |
| 51 | + For example, the client is a web application whose code and secrets are stored on a server that isn't exposed to the public. Only an admin can access the application's confidential information. |
| 52 | +- Public client: A client that can't store any secret. |
| 53 | + |
| 54 | + For example, a public client is a mobile or desktop application running in an insecure or unmanaged environment. |
| 55 | + |
| 56 | +In the Microsoft Entra App Registration model, a registered application can be both a public client and a confidential client, depending on the context in which the application is used. This is because an application might have a part used as a public client, while other parts are designed to be used as a confidential client. Depending on workflows, the application developer must decide if the application should act as a public or confidential client. A confidential client is expected in certain OAuth2 grant flows, such as the Client Credentials flow, Authorization Code flow, or On-Behalf-Of flow. It uses a flow to request a token. |
| 57 | + |
| 58 | +## How Microsoft Entra ID determines the client type |
| 59 | + |
| 60 | +- Method 1: Use the type of the redirect URI (reply URL) |
| 61 | + |
| 62 | + Microsoft Entra ID checks the redirect URI (reply URL) provided in the request and cross-checks it with the redirect URI registered in the App Registrations. |
| 63 | + - A redirect URI of type **Web** classifies the application as a confidential client. |
| 64 | + |
| 65 | + :::image type="content" source="media/confidential-client-application-authentication-error-aadsts7000218/web-client-type.png" alt-text="Screenshot that shows a Web-type redirect URI." lightbox="media/confidential-client-application-authentication-error-aadsts7000218/web-client-type.png"::: |
| 66 | + - A redirect URI of type **Mobile and desktop applications** classifies the application as a public client. |
| 67 | + |
| 68 | + :::image type="content" source="media/confidential-client-application-authentication-error-aadsts7000218/public-client-type.png" alt-text="Screenshot that shows a public-type redirect URI." lightbox="media/confidential-client-application-authentication-error-aadsts7000218/public-client-type.png"::: |
| 69 | + |
| 70 | +- Method 2: Use the **Enable the following mobile and desktop flows** option (when no reply URL is provided) |
| 71 | + |
| 72 | + In some OAuth 2.0 flows, such as the [OAuth 2 Resource Owner Password Credentials (ROPC)](/azure/active-directory/develop/v2-oauth-ropc) grant flow, [OAuth 2 device authorization grant flow](/entra/identity-platform/v2-oauth2-device-code) and Integrated Windows Authentication, no reply URL is provided in the token request. In these cases, Microsoft Entra ID uses the app registration's **Enable the following mobile and desktop flows** to determine whether the client is confidential or public. |
| 73 | + |
| 74 | + - If **Enable the following mobile and desktop flows** is set to **Yes**, the client is public. |
| 75 | + - If it's set to **No**, the client is confidential. |
| 76 | + |
| 77 | +### How to identify the grant type and redirect URI used by an application |
| 78 | + |
| 79 | +Review the application code or capture a [Fiddler](https://blogs.aaddevsup.xyz/2018/09/capture-https-traffic-with-http-fiddler/) trace to inspect the `grant_type` and `redirect_uri` parameters sent in the POST request to the Microsoft Entra ID's token endpoint: |
| 80 | + |
| 81 | +- V1 endpoint: `https://login.microsoftonline.com/<tenant name>/oauth2/token` |
| 82 | +- V2 endpoint: `https://login.microsoftonline.com/<tenant name>/oauth2/v2.0/token` |
| 83 | + |
| 84 | +Here's an example of a Fiddler trace: |
| 85 | + |
| 86 | +:::image type="content" source="media/confidential-client-application-authentication-error-aadsts7000218/post-request.png" alt-text="Screenshot that shows a POST request in Fiddler."::: |
| 87 | + |
| 88 | +:::image type="content" source="media/confidential-client-application-authentication-error-aadsts7000218/grant-type.png" alt-text="Screenshot that shows a grant type."::: |
| 89 | + |
| 90 | +Common OAuth 2.0 flows and their associated `grant_type` values are listed as follows: |
| 91 | + |
| 92 | +| OAuth 2.0 flow | grant_type value | |
| 93 | +| --- | --- | |
| 94 | +| [ROPC](/entra/identity-platform/v2-oauth-ropc) | `password` | |
| 95 | +| [Device Code](/entra/identity-platform/v2-oauth2-device-code) | `urn:ietf:params:oauth:grant-type:device_code` | |
| 96 | +| [Authorization Code](/entra/identity-platform/v2-oauth2-auth-code-flow) | `authorization_code` | |
| 97 | +| [Client Credentials](/entra/identity-platform/v2-oauth2-client-creds-grant-flow) | `client_credentials` | |
| 98 | +| [On-Behalf-Of](/entra/identity-platform/v2-oauth2-on-behalf-of-flow) | `urn:ietf:params:oauth:grant-type:jwt-bearer` | |
| 99 | +| [SAML Bearer Assertion](/entra/identity-platform/v2-saml-bearer-assertion) | `urn:ietf:params:oauth:grant-type:saml1_1-bearer` | |
| 100 | + |
| 101 | +## References |
| 102 | + |
| 103 | +[Microsoft Authentication Library (MSAL) Client Applications](https://github.com/AzureAD/microsoft-authentication-library-for-dotnet/wiki/Client-Applications) |
| 104 | + |
| 105 | +[!INCLUDE [Third-party information disclaimer](../../../includes/third-party-disclaimer.md) |
| 106 | + |
| 107 | +[!INCLUDE [Azure Help Support](../../../includes/azure-help-support.md)] |
0 commit comments