Azure Active Directory AADSTS90014 - Invalid Request |

Question

I'm trying to authenticate to Azure Active Directory using the OAuth Implicit Flow.

I'm able to get my code from https://login.microsoftonline.com/organizations/oauth2/v2.0/authorize.

My problem is that when I do a POST to https://login.microsoftonline.com/organizations/oauth2/v2.0/token, I'm getting the following:

error: 'invalid_request', 
error_description:
    AADSTS90014: The request body must contain the following parameter: 'grant_type'.
    Trace ID: 1ac8aa85-a56c-481d-9100-baaf6d1c2200
    Correlation ID: ecaa1339-e176-49d3-90e0-080cc0cb4b8f
    Timestamp: 2018-02-26 19:27:07Z,
error_codes: [ 90014 ],
timestamp: '2018-02-26 19:27:07Z',
trace_id: '1ac8aa85-a56c-481d-9100-baaf6d1c2200',
correlation_id: 'ecaa1339-e176-49d3-90e0-080cc0cb4b8f' 

As reference, this is what I'm posting to the URI

// Snippet
// I should be sending queryParams to the POST request, but I keep 
// getting the error from above and then I only posted the 
// "grant_type" as a hard value into Axios
const queryParams = {
    client_id: app_id,
    client_secret: app_pass,
    scope: 'user.read',
    redirect_uri: redirect_uri,
    grant_type: 'authorization_code'
}

await axios.post(baseUrl, {
    grant_type: 'authorization_code'
}).then(res => {
    console.log(res.data)
}).catch(err => {
    if (err.response) {
        console.error(err.response.data)
        console.error(err.response.status)
        console.error(err.response.headers)
    } else if (err.request) {
        console.error(err.request)
    } else {
        console.error('ERROR', err.message);
    }
    console.log(err.config)
})

Then to extend the log this is what axios is reporting back to me in the error response

{ 
    adapter: [Function: httpAdapter],
    transformRequest: { '0': [Function: transformRequest] },
    transformResponse: { '0': [Function: transformResponse] },
    timeout: 0,
    xsrfCookieName: 'XSRF-TOKEN',
    xsrfHeaderName: 'X-XSRF-TOKEN',
    maxContentLength: -1,
    validateStatus: [Function: validateStatus],
    headers: { 
        Accept: 'application/json, text/plain, */*',
        'Content-Type': 'application/json;charset=utf-8',
        'Access-Control-Allow-Origin': 'http://localhost:4200',
        'User-Agent': 'axios/0.18.0',
        'Content-Length': 35 },
        method: 'post',
        url: 'https://login.microsoftonline.com/organizations/oauth2/v2.0/token',
        data: '{"grant_type":"authorization_code"}' 
    }
}

Is somebody able to give me some insight as to where I'm going wrong or not posting a value? Really scratching my head on this one.

Answer 1

Your question claims you're using the Implicit grant but the code you included uses the Authorization Code grant. The Implicit flow does not use a secondary POST to the /token endpoint. The entire flow is done through a single call:

https://login.microsoftonline.com/common/oauth2/v2.0/authorize?
client_id=[APPLICATION ID]&response_type=token&
redirect_uri=[REDIRECT URI]&scope=[SCOPE]

I suggest taking a look at a walkthrough I wrote up on this: v2 Endpoint & Implicit Grant.

If you're in fact looking to the Authorization Code grant, then you're not sending the complete payload in your POST, only the grant_type. The full payload should include (line-breaks for clarity only):

https://login.microsoftonline.com/common/oauth2/v2.0/token
Content-Type: application/x-www-form-urlencoded

grant_type=authorization_code&
code=[AUTHORIZATION CODE]&
client_id=[APPLICATION ID]&
client_secret=[PASSWORD]&
scope=[SCOPE]&
redirect_uri=[REDIRECT URI]

Also, you're sending this data over as application/json; it should be application/x-www-form-urlencoded. For details on how to do this with Axios, see this GitHub Issue.

For a walkthrough using Authorization Code see Microsoft v2 Endpoint Primer.