msgraph DeviceCode auth reports error AADSTS7000218 despite providing client_secret
See original GitHub issueI have upgraded to ParseDMARC 8.3.0 to use msgraph authentication instead of IMAP, but UsernamePassword doesn’t seem to work (because the account has MFA enabled) and ClientSecret was getting complicated (because the account was created as a shared mailbox, though direct login is now enabled). So I would like to use DeviceCode authentication. I’ve:
- registered ParseDMARC as as an app
- recorded the Application (client) ID and the Directory (tenant) ID
- assigned the Mail.ReadWrite delegated permission
- created and recorded a Client Secret for the registered app
My INI file has
[msgraph]
auth_method = DeviceCode
tenant_id = <tenant-id>
client_id = <client-id>
client_secret = <client-secret-value>
mailbox = <mbox>@<domain>
When I run ParseDMARC I’m prompted to login with a code, which I do as <user>@<domain>, including MFA, and I accept to access ParseDMARC. But when I close the login window ParseDMARC exits with a long error stream that starts
DeviceCodeCredential.get_token failed: Authentication failed: AADSTS7000218: The request body must contain the following parameter: 'client_assertion' or 'client_secret'.
Trace ID: b0378a2c-560e-44a2-8420-141397fcbe00
Correlation ID: e1c56f5d-c66d-48d8-8b47-717d151b205b
Timestamp: 2022-06-30 05:52:13Z
Content: {"error":"invalid_client","error_description":"AADSTS7000218: The request body must contain the following parameter: 'client_assertion' or 'client_secret'.\r\nTrace ID: b0378a2c-560e-44a2-8420-141397fcbe00\r\nCorrelation ID: e1c56f5d-c66d-48d8-8b47-717d151b205b\r\nTimestamp: 2022-06-30 05:52:13Z","error_codes":[7000218],"timestamp":"2022-06-30 05:52:13Z","trace_id":"b0378a2c-560e-44a2-8420-141397fcbe00","correlation_id":"e1c56f5d-c66d-48d8-8b47-717d151b205b","error_uri":"https://login.microsoftonline.com/error?code=7000218"}
and then repeats 2 variants of the same info.
My INI file provides the client_secret value, and ParseDMARC errors out if it’s not there. So is ParseDMARC not providing it for some reason, or is there something else I might have missed?
Thanks.
Issue Analytics
- State:
- Created a year ago
- Comments:15 (5 by maintainers)
Top Results From Across the Web
Top Related Medium Post
Top Related StackOverflow Question
Troubleshoot Live Code
Top Related Reddit Thread
Top Related Hackernoon Post
Top Related Tweet
Top Related Dev.to Post
Top Related Hashnode Post
Thanks, but I see that I’d mixed up the history on what I’d tried here. You’re right, it was UsernamePassword flow that failed due to MFA.
I then tried ClientSecret flow, but that failed because this mailbox was created as a shared mailbox (though I later enabled logons to allow direct IMAP access) and the mailbox was not accepted in the New-ApplicationAccessPolicy command because a shared mailbox cannot be a security principal.
At that point I thought it might be quicker to configure DeviceCode flow than de-sharify the mailbox.
Since you’ve bundled the batch size fix (needed regardless of flow) with the token cache fix, hopefully it will be easiest for me to stick with DeviceCode flow here.
I spent a lot of time trying to find out what was different between the PyPI and github installs that caused this runtime error:
ModuleNotFoundError: No module named 'pywintypes'But in the end I resolved it by giving up on portable Python and installed the standard 3.10.6 x64 installer.