Object reference not set to an instance of an object when acquire token with certificate

Question

I try to get an auth token with Azure AD and certificate and a consolo app. when I try to get the auth token i get the "ObjectC Object reference not set to an instance of an object".

this is the code

string _path = @"path_to_cert_file";

// Load the certificate into an X509Certificate object.
var cert_file = System.IO.File.ReadAllBytes(_path);
X509Certificate2 cert = new X509Certificate2(cert_file);

//byte[] certificateContents = Convert.FromBase64String(_options.Certificate);
//X509Certificate2 certificate = new X509Certificate2(certificateContents);
ClientCertificate = new ClientAssertionCertificate("clint_id", cert);

TokenCache cache = new TokenCache();
AuthenticationContext authContext = new AuthenticationContext("https://login.microsoftonline.com/{tenant_id}/oauth2/v2.0/token", false, cache);
AuthenticationResult result = null;
string o365Token = "";

try
{

    result = await authContext.AcquireTokenAsync("https://graph.microsoft.com", ClientCertificate);

    o365Token = result.AccessToken;
}
catch (Exception ex)
{
    throw;
}

when i try to get the token i have the error with this stacktrace

   at Microsoft.IdentityModel.Clients.ActiveDirectory.Internal.Platform.SigningHelper.SignWithCertificate(String message, X509Certificate2 certificate)
   at Microsoft.IdentityModel.Clients.ActiveDirectory.ClientAssertionCertificate.Sign(String message)
   at Microsoft.IdentityModel.Clients.ActiveDirectory.Internal.ClientCreds.JsonWebToken.Sign(IClientAssertionCertificate credential, Boolean sendX5c)
   at Microsoft.IdentityModel.Clients.ActiveDirectory.Internal.ClientCreds.ClientKey.AddToParameters(IDictionary`2 parameters)
   at Microsoft.IdentityModel.Clients.ActiveDirectory.Internal.DictionaryRequestParameters..ctor(String resource, ClientKey clientKey)
   at Microsoft.IdentityModel.Clients.ActiveDirectory.Internal.Flows.AcquireTokenHandlerBase.<SendTokenRequestAsync>d__72.MoveNext()
   at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
   at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
   at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
   at System.Runtime.CompilerServices.ConfiguredTaskAwaitable`1.ConfiguredTaskAwaiter.GetResult()
   at Microsoft.IdentityModel.Clients.ActiveDirectory.Internal.Flows.AcquireTokenHandlerBase.<CheckAndAcquireTokenUsingBrokerAsync>d__62.MoveNext()
   at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
   at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
   at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
   at System.Runtime.CompilerServices.ConfiguredTaskAwaitable.ConfiguredTaskAwaiter.GetResult()
   at Microsoft.IdentityModel.Clients.ActiveDirectory.Internal.Flows.AcquireTokenHandlerBase.<RunAsync>d__60.MoveNext()
   at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
   at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
   at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
   at System.Runtime.CompilerServices.ConfiguredTaskAwaitable`1.ConfiguredTaskAwaiter.GetResult()
   at Microsoft.IdentityModel.Clients.ActiveDirectory.AuthenticationContext.<AcquireTokenForClientCommonAsync>d__37.MoveNext()
   at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
   at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
   at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
   at System.Runtime.CompilerServices.ConfiguredTaskAwaitable`1.ConfiguredTaskAwaiter.GetResult()
   at Microsoft.IdentityModel.Clients.ActiveDirectory.AuthenticationContext.<AcquireTokenAsync>d__61.MoveNext()
   at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
   at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
   at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
   at System.Runtime.CompilerServices.TaskAwaiter`1.GetResult()
   at TestTeams.Program.<GetTokenAsync>d__10.MoveNext() in 

Answer 1

I ran into this issue recently as well when trying to read a X509Certificate2 from a file, and use it to create a ClientAssertionCertificate. It turned out to be an issue with the certificate itself. There was no private key in the file, and that was the cause of the "object not set" exception in:

Microsoft.IdentityModel.Clients.ActiveDirectory.Internal.Platform.SigningHelper.SignWithCertificate(String message, X509Certificate2 certificate).

When you export the certificate to a file, make sure to include the private key and make it password protected. As Tony Ju mentioned, you need to update the authority as well. Then the following code should work for you:

string _path = @"path_to_cert_file";
string _password = "cert file password";

// Load the certificate into an X509Certificate object.
X509Certificate2 cert = new X509Certificate2(_path, _password);

ClientCertificate = new ClientAssertionCertificate("clint_id", cert);

TokenCache cache = new TokenCache();
AuthenticationContext authContext = new AuthenticationContext("https://login.microsoftonline.com/{tenant_id}", false, cache);
AuthenticationResult result = null;
string o365Token = "";

try
{

    result = await authContext.AcquireTokenAsync("https://graph.microsoft.com", ClientCertificate);

    o365Token = result.AccessToken;
}
catch (Exception ex)
{
    throw;
}