CODEWITHSUNDEEP
azureweb-applicationsasp.net-mvc-5azure-web-app-serviceazure-ad-graph-api
yfan183
yfan183

Reputation: 587

AADSTS50012: Invalid client secret is provided when moving from a Test App to Production

I have two applications registered under the Azure Portal: a test version and a production version. My test App works fine with the Client Id and ClientSecret/AppKey that I got from the test app's detail from Azure Portal. However when I move to the production one as I replace the ClientId and Secret values with the one specified by the production App I registered, I suddenly get an error:

AdalServiceException: AADSTS70002: Error validating credentials. AADSTS50012: Invalid client secret is provided

But I'm fairly sure that my client secret is correct as I just copied and pasted from the Portal. Is there any solutions to this?

Upvotes: 26

Views: 84045

Answers (10)

CaulG
CaulG

Reputation: 1

Have you checked if your password is configured correctly in your .yml file? I just spent 4 hours debugging the same issue and eventually realised that the error is because I set BOT_PASSWORD: ${{SECRET_BOT_PASSWORD}}/ instead of BOT_PASSWORD: ${{SECRET_BOT_PASSWORD}} due to my keyboard issue.

Upvotes: 0

jBelanger
jBelanger

Reputation: 1778

Make sure you don't have an environment variable called AzureAD__ClientSecret. Since environment variables takes precedence over secrets, changing the secrets will have no effect.

Happened to me after switching to a new project.

Upvotes: 0

Promise Preston
Promise Preston

Reputation: 29058

I experienced this issue when working on deploying a docker image to a virtual machine on Azure using Azure DevOps.

My initial Azure DevOps pipeline script was:

- stage: Deploy
  displayName: Deploy to VM
  jobs:
    - job: Deploy_to_VM
      displayName: Deploy to Virtual Machine
      steps:
        - task: AzureCLI@2
          displayName: Connect to Azure and deploy
          inputs:
            azureSubscription: $(AzureSubscription)
            scriptType: 'bash'
            scriptLocation: 'inlineScript'
            inlineScript: 'az vm run-command invoke -g $(rGroup) -n $(vmName) --command-id RunShellScript --scripts "docker pull $(containerRegistry).azurecr.io/$(imageName):$(tag) && docker service update --replicas=1 --force --image $(containerRegistry).azurecr.io/$(imageName):$(tag) $(imageName)_app"'

Here's how I fixed it:

Adding the command az acr login --name $(containerRegistry) to the az vm run-command did the trick`

- stage: Deploy
  displayName: Deploy to VM
  jobs:
    - job: Deploy_to_VM
      displayName: Deploy to Virtual Machine
      steps:
        - task: AzureCLI@2
          displayName: Connect to Azure and deploy
          inputs:
            azureSubscription: $(AzureSubscription)
            scriptType: 'bash'
            scriptLocation: 'inlineScript'
            inlineScript: 'az vm run-command invoke -g $(rGroup) -n $(vmName) --command-id RunShellScript --scripts "az acr login --name $(containerRegistry) && docker pull $(containerRegistry).azurecr.io/$(imageName):$(tag) && docker service update --replicas=1 --force --image $(containerRegistry).azurecr.io/$(imageName):$(tag) $(imageName)_app"'

Upvotes: 0

Uriel
Uriel

Reputation: 466

This may sound stupid but as it happened to me, it could happen to someone else (as clueless as me): The code you need to use is not the one that says "Secret ID" but the one that says "value".

Upvotes: 13

pykos
pykos

Reputation: 43

Maybe this will help some lost souls.

I had my secret setup in secrets.json at the beginning of the project, which I forgot. After the secret expired, I tried updating updated the appsettings.json to no avail, until I remembered and changed it in secrets.json. This was a test project run only locally. You could also have it in the env variables which also takes precedence over appsettings.

Upvotes: 1

Armando Pitotti
Armando Pitotti

Reputation: 111

The problem is the Expire time of the secret. With 6,12,18 months there is no problem, I am using azure-cli 2.26.0 With 24 months you get the error:

{"error":"invalid_client","error_description":"AADSTS7000215: Invalid client secret is provided.\r\nTrace ID: fef57aee-deeb-47fa-ae05-ba8427cd4300\r\nCorrelation ID: ba3cc2d5-1594-4af3-be2b-3b35e8d40e06\r\nTimestamp: 2021-10-23 18:18:27Z","error_codes":[7000215],"timestamp":"2021-10-23 18:18:27Z","trace_id":"fef57aee-deeb-47fa-ae05-ba8427cd4300","correlation_id":"ba3cc2d5-1594-4af3-be2b-3b35e8d40e06","error_uri":"https://login.microsoftonline.com/error?code=7000215"}

Upvotes: 3

Michael Washington
Michael Washington

Reputation: 3075

In my case I had 2 keys. I created a third one, that didn't work. Finally I removed all keys and created a new one, but, just one. Then it worked.

Upvotes: 2

fdulau
fdulau

Reputation: 371

Encode your secret ( e.g. replace + by %2B , = by %3D etc)

Upvotes: 37

Shawn Tabrizi
Shawn Tabrizi

Reputation: 12434

Have you tried simply regenerating the secret?

The error here is pretty straightforward and I do not think it is a fault with AAD.

Let me know if this works out for you!

Upvotes: 14

Toan Nguyen
Toan Nguyen

Reputation: 11601

Please check you tenant Id and audience id from your config. You may still have a reference to the test environment.

Upvotes: -1

Related Questions