Fixes #3470 (#3471)

jmprieur · web-flow · commit 78d00877d4e6 · 2025-09-09T18:38:50.000-07:00
* Fixes #3470 Tested manually with a client secret. * Fixing typo * Update Directory.Build.props * Update changelog for version 3.14.1
diff --git a/Directory.Build.props b/Directory.Build.props
@@ -2,7 +2,7 @@
   <PropertyGroup>
     <!--This should be passed from the VSTS build-->
     <!-- This needs to be greater than or equal to the validation baseline version -->
-    <MicrosoftIdentityWebVersion Condition="'$(MicrosoftIdentityWebVersion)' == ''">3.13.2</MicrosoftIdentityWebVersion>
+    <MicrosoftIdentityWebVersion Condition="'$(MicrosoftIdentityWebVersion)' == ''">3.14.1</MicrosoftIdentityWebVersion>
     <!--This will generate AssemblyVersion, AssemblyFileVersion and AssemblyInformationVersion-->
     <Version>$(MicrosoftIdentityWebVersion)</Version>
 
diff --git a/changelog.md b/changelog.md
@@ -1,3 +1,8 @@
+3.14.1
+=======
+##  Bug fix
+- Support client secrets with agent user identities. See [#3470](https://github.com/AzureAD/microsoft-identity-web/issues/3470) for details.
+
 3.14.0
 =======
 ## New features
diff --git a/src/Microsoft.Identity.Web.AgentIdentities/AgentUserIdentityMsalAddIn.cs b/src/Microsoft.Identity.Web.AgentIdentities/AgentUserIdentityMsalAddIn.cs
@@ -70,8 +70,7 @@ internal static Task OnBeforeUserFicForAgentUserIdentityAsync(
                         request.BodyParameters["grant_type"] = "user_fic";
                         request.BodyParameters.Remove("password");
 
-                        if (request.BodyParameters.TryGetValue("client_secret", out var secret)
-                                && secret.Equals("default", StringComparison.OrdinalIgnoreCase))
+                        if (request.BodyParameters.TryGetValue("client_secret", out var secret))
                         {
                             request.BodyParameters.Remove("client_secret");
                         }
diff --git a/src/Microsoft.Identity.Web.TokenAcquisition/TokenAcquisition.cs b/src/Microsoft.Identity.Web.TokenAcquisition/TokenAcquisition.cs
@@ -869,7 +869,12 @@ public async Task RemoveAccountAsync(
         private bool IsInvalidClientCertificateOrSignedAssertionError(MsalServiceException exMsal)
         {
             return !_retryClientCertificate &&
-                string.Equals(exMsal.ErrorCode, Constants.InvalidClient, StringComparison.OrdinalIgnoreCase);
+                string.Equals(exMsal.ErrorCode, Constants.InvalidClient, StringComparison.OrdinalIgnoreCase) &&
+                !exMsal.ResponseBody.Contains("AADSTS7000215" // No retry when wrong client secret.
+#if NET6_0_OR_GREATER
+                , StringComparison.OrdinalIgnoreCase
+#endif
+                );
         }
 
 

Original file line number	Diff line number	Diff line change
`@@ -70,8 +70,7 @@ internal static Task OnBeforeUserFicForAgentUserIdentityAsync(`
`70`	`70`	`request.BodyParameters["grant_type"] = "user_fic";`
`71`	`71`	`request.BodyParameters.Remove("password");`
`72`	`72`
`73`		`- if (request.BodyParameters.TryGetValue("client_secret", out var secret)`
`74`		`- && secret.Equals("default", StringComparison.OrdinalIgnoreCase))`
	`73`	`+ if (request.BodyParameters.TryGetValue("client_secret", out var secret))`
`75`	`74`	`{`
`76`	`75`	`request.BodyParameters.Remove("client_secret");`
`77`	`76`	`}`
Original file line number	Diff line number	Diff line change
`@@ -869,7 +869,12 @@ public async Task RemoveAccountAsync(`
`869`	`869`	`private bool IsInvalidClientCertificateOrSignedAssertionError(MsalServiceException exMsal)`
`870`	`870`	`{`
`871`	`871`	`return !_retryClientCertificate &&`
`872`		`- string.Equals(exMsal.ErrorCode, Constants.InvalidClient, StringComparison.OrdinalIgnoreCase);`
	`872`	`+ string.Equals(exMsal.ErrorCode, Constants.InvalidClient, StringComparison.OrdinalIgnoreCase) &&`
	`873`	`+ !exMsal.ResponseBody.Contains("AADSTS7000215" // No retry when wrong client secret.`
	`874`	`+#if NET6_0_OR_GREATER`
	`875`	`+ , StringComparison.OrdinalIgnoreCase`
	`876`	`+#endif`
	`877`	`+ );`
`873`	`878`	`}`
`874`	`879`
`875`	`880`