Reputation: 12021
OAuth 2.0 and Azure Active Directory - error AADSTS90009
I'm trying to authorize access to our web application by using OAuth 2.0 and Azure AD. Guide here.
The user is redirected to similar URL:
https://login.microsoftonline.com/common/oauth2/authorize?
client_id=d220846b-1916-48d2-888b-9e16f6d9848b&
response_type=code&
response_mode=query&
state=[secure-random]&
redirect_uri=[my_uri]&
resource=[my app ID uri taken from app settings]
I'm getting the following error then:
AADSTS90009: Application 'd220846b-1916-48d2-888b-9e16f6d9848b' is requesting a token for itself. This scenario is supported only if resource is specified using the GUID based App Identifier.
This description does not really help me. I've checked this thread, but I'm still lost.
What does this error mean and which is the GUID based App Identifier? How should the value of the resource look like? Help much appreciated.
Upvotes: 23
Views: 26995
Answers (2)
Reputation: 3900
Just in case this helps anyone else, I was getting the same error when trying to get a refresh token (https://login.microsoftonline.com/${TENANT_ID}/oauth2/v2.0/token) using custom scopes.
I couldn't get this to work until I added as well scope=... to my request body. E.g.
const res = await fetch(`https://login.microsoftonline.com/${TENANT_ID}/oauth2/v2.0/token`, {
method: 'POST',
headers: {
'Content-Type': 'application/x-www-form-urlencoded',
},
body: 'grant_type=refresh_token'
+ `&client_id=${CLIENT_ID}`
+ `&client_secret=${CLIENT_SECRET}`
+ `&refresh_token=${refreshToken}`
+ `&scope=${encodeURIComponent('openid profile email offline_access api://{tenant_id}/my_scope')}`
});
const renewedAccessToken = (await res.json())?.access_token;
Upvotes: 1
Reputation: 3237
This error is saying that the field you provided in the resource parameter is requesting tokens for itself. In the case you do want to get a token for the app specified in the client_id, then you have to pass the client_id in the resource field rather than the app ID URI. At which point you will receive an access token for self.
Alternatively, you can provide an app ID URI of a web API you've registered or another resource with scopes to get tokens for that resource (Microsoft Graph, Office API, etc).
Upvotes: 48
Related Questions
- AADSTS65001: The user or administrator has not consented to use the application with ID '<application ID>
- AADSTS50146 error when attempting to retrieve Oauth access_token
- How to solve AADSTS700016 error on login with Microsoft account?
- oAuth with Azure Active Directory fails due to [AADSTS50012: Invalid client secret is provided]
- Azure AD OAuth token refresh gives error AADSTS50000
- Azure AD Oauth2 gives error after authorization request
- Azure OAuth Login - Was working, now getting AADSTS700022 / AADSTS700023 Errors
- Azure AD: Authentication missing or malformed
- Azure Active Directory OAuth 2.0 Authorization gives Bad Request
- Azure AD OAuth 2.0 Invalid Resource