Certificate authentication to sharepoint error - malformed request

[mix1981]

Hi,
I've been successfully using library using credential authentication (before it was blocked by Microsoft) and AppOnly permissions. Unfortunately, Microsoft just disabled registering new applications for AppOnly access (using _layouts/15/appregnew.aspx) so I need to switch to Certificate authentication for my new project.
I created App in AZURE AD, granted required permissions, created certificate. I can see in AZURE AD that there are successful authentication entries in authentication log for this application, but when I try to connect from my php I get error 500 and in my PHP error log I get following errors:

[02-Jan-2026 14:20:51 UTC] PHP Fatal error: Uncaught Office365\Runtime\Http\RequestException: {"error_description":"ID3035: The request was not valid or is malformed."} in c:\MY_APP_PATH\vendor\vgrem\php-spo\src\Runtime\ClientRequest.php:137 Stack trace: #0 c:\MY_APP_PATH\vendor\vgrem\php-spo\src\Runtime\ClientRequest.php(102): Office365\Runtime\ClientRequest->validate(Object(Office365\Runtime\Http\Response)) #1 c:\MY_APP_PATH\vendor\vgrem\php-spo\src\Runtime\OData\ODataRequest.php(128): Office365\Runtime\ClientRequest->executeQueryDirect(Object(Office365\Runtime\Http\RequestOptions)) #2 c:\MY_APP_PATH\vendor\vgrem\php-spo\src\Runtime\ClientRequest.php(83): Office365\Runtime\OData\ODataRequest->executeQueryDirect(Object(Office365\Runtime\Http\RequestOptions)) #3 c:\MY_APP_PATH\vendor\vgrem\php-spo\src\Runtime\ClientRuntimeContext.php(81): Office365\Runtime\ClientRequest->executeQuery(Object(Office365\Runtime\Actions\ReadEntityQuery)) #4 c:\MY_APP_PATH\ in c:\MY_APP_PATH\vendor\vgrem\php-spo\src\Runtime\ClientRequest.php on line 137
Error throws on line
$whoami = $ctx->getWeb()->getCurrentUser()->get()->executeQuery();
and any other using context. Do I miss something in my PHP code or do I have to set something more on sharepoint/AAD side?

[mix1981]

I don't know if it will be helpfull, but I dumped request options and response object. I don't know if I understand the full communication, but is it possible that request is missing headers? Dump is done in ClientRequest.php
public function executeQuery($query) $request = $this->buildRequest($query); var_dump($request);
and response is dumped from
public function validate($response) var_dump($response);

And here is request:
object(Office365\Runtime\Http\RequestOptions)#21 (16) { ["Url"]=> string(76) "https://MY_TENANT_NAME.sharepoint.com/sites/MY_SITE_NAME/_api/Web/CurrentUser" ["Method"]=> string(3) "GET" ["Headers"]=> array(0) { } ["Data"]=> NULL ["IncludeHeaders"]=> bool(false) ["IncludeBody"]=> bool(true) ["AuthType"]=> NULL ["UserCredentials"]=> NULL ["Verbose"]=> bool(false) ["SSLVersion"]=> NULL ["StreamHandle"]=> NULL ["ConnectTimeout"]=> NULL ["TransferEncodingChunkedAllowed"]=> bool(false) ["FollowLocation"]=> bool(false) ["IPResolve"]=> NULL ["ForbidReuse"]=> bool(false) }
and response
object(Office365\Runtime\Http\Response)#24 (4) { ["RequestOptions":protected]=> object(Office365\Runtime\Http\RequestOptions)#21 (16) { ["Url"]=> string(76) "https://MY_TENANT_NAME.sharepoint.com/sites/MY_SITE_NAME/_api/Web/CurrentUser" ["Method"]=> string(3) "GET" ["Headers"]=> array(4) { ["Accept"]=> string(31) "application/json; odata=verbose" ["Content-Type"]=> string(31) "application/json; OData=verbose" ["Authorization"]=> string(1821) "Bearer eyJ0eXAiOiJ_SOME_BASE64_STRING_sH5g2MpnQ" ["Content-Length"]=> int(0) } ["Data"]=> NULL ["IncludeHeaders"]=> bool(false) ["IncludeBody"]=> bool(true) ["AuthType"]=> NULL ["UserCredentials"]=> NULL ["Verbose"]=> bool(false) ["SSLVersion"]=> NULL ["StreamHandle"]=> NULL ["ConnectTimeout"]=> NULL ["TransferEncodingChunkedAllowed"]=> bool(false) ["FollowLocation"]=> bool(false) ["IPResolve"]=> NULL ["ForbidReuse"]=> bool(false) } ["CurlInfo":protected]=> array(37) { ["url"]=> string(76) "https://MY_TENANT_NAME.sharepoint.com/sites/MY_SITE_NAME/_api/Web/CurrentUser" ["content_type"]=> NULL ["http_code"]=> int(401) ["header_size"]=> int(1512) ["request_size"]=> int(2032) ["filetime"]=> int(-1) ["ssl_verify_result"]=> int(20) ["redirect_count"]=> int(0) ["total_time"]=> float(0.320223) ["namelookup_time"]=> float(0.04554) ["connect_time"]=> float(0.092822) ["pretransfer_time"]=> float(0.183136) ["size_upload"]=> float(0) ["size_download"]=> float(74) ["speed_download"]=> float(231) ["speed_upload"]=> float(0) ["download_content_length"]=> float(74) ["upload_content_length"]=> float(-1) ["starttransfer_time"]=> float(0.320123) ["redirect_time"]=> float(0) ["redirect_url"]=> string(0) "" ["primary_ip"]=> string(13) "13.107.138.10" ["certinfo"]=> array(0) { } ["primary_port"]=> int(443) ["local_ip"]=> string(12) "192.168.1.20" ["local_port"]=> int(52156) ["http_version"]=> int(3) ["protocol"]=> int(2) ["ssl_verifyresult"]=> int(0) ["scheme"]=> string(5) "HTTPS" ["appconnect_time_us"]=> int(181907) ["connect_time_us"]=> int(92822) ["namelookup_time_us"]=> int(45540) ["pretransfer_time_us"]=> int(183136) ["redirect_time_us"]=> int(0) ["starttransfer_time_us"]=> int(320123) ["total_time_us"]=> int(320223) } ["Content":protected]=> string(74) "{"error_description":"ID3035: The request was not valid or is malformed."}" ["Headers":protected]=> array(0) { } }