[Bug] Using the SHA2 feature will cause the following errors

[haha1903]

Library version used

4.46.0

.NET version

Any

Scenario

PublicClient - desktop app

Is this a new or an existing app?

None

Issue description and reproduction steps

When getting a token by certificate

Microsoft.Identity.Client.MsalServiceException: AADSTS5002730: Invalid JWT token. Unsupported key for the signing algorithm. Trace ID: c985e53a-e233-4b56-88f0-bfcd91e20c00 Correlation ID: ef66443e-1b8d-43f8-9d6e-af2a090818ee Timestamp: 2024-03-29 01:38:20Z

Relevant code snippets

var certificate = X509Certificate2.CreateFromPemFile("xxx", "xxx");
var singletonApp = ConfidentialClientApplicationBuilder.Create("aadApp")
    .WithAuthority("https://login.microsoftonline.com/72f988bf-86f1-41af-91ab-2d7cd011db47")
    .WithCertificate(certificate, true)
    .Build();


var authResult = await singletonApp
    .AcquireTokenForClient(scopes: new[] { "scope" })
    .ExecuteAsync();

Expected behavior

No response

Identity provider

Microsoft Entra ID (Work and School accounts and Personal Microsoft accounts)

Regression

No response

Solution and workarounds

Downgrade MSAL to version 4.59.0

[bgavrilMS]

Very strange, as we have integration tests that check this flow. We use pfx based certs. Need to test pem based approach.

[bgavrilMS]

@neha-bhargava - can you please take a look at this one.

[neha-bhargava]

I just tried a PEM cert and received a token using the latest package. Can you share how you are creating the PEM certificate? Maybe this is an edge case.

[gladjohn]

From a preliminary investigation from a partner team this looks like an external issue (AAD) that is affecting MSAL 4.60.0, I will keep you updated here when the issue has been fixed. Please rollback to a previous version of MSAL until then