Reputation: 21
Invalid Grant (Error Code 70000) refreshing token Azure AD
I'm using Azure AD login to obtain an access token and be able to do a request to SharePoint Online using its API REST.
I am able to get this access token but, when I try to get the refresh token, I get an error.
In this moment I am testing this using Postman.
I am doing the following:
- I start calling the next URL to get the code:
https://login.microsoftonline.com/{tenant}/oauth2/authorize?client_id={client_id}&client_secret={client_secret}&response_type=code
- When I receive the code, I do the following POST:
POST /{tenant}/oauth2/token HTTP/1.1
Host: login.microsoftonline.com
User-Agent: PostmanRuntime/7.13.0
Accept: */*
Cache-Control: no-cache
grant_type:authorization_code
client_id:{client_id}
client_secret:{client_secret}
code:{code_generated_previous_request}
redirect_uri:https://myapplication.com
resource:https://{mycompany}.sharepoint.com/
- I receive this response:
{
"token_type": "Bearer",
"scope": "AllSites.FullControl Directory.ReadWrite.All Group.ReadWrite.All Sites.FullControl.All Sites.Read.All User.Invite.All User.Read.All User.ReadWrite.All",
"expires_in": "3599",
"ext_expires_in": "3599",
"expires_on": "1559291698",
"not_before": "1559287798",
"resource": "https://{mycompany}.sharepoint.com/",
"access_token": "XXXXXXXX...",
"refresh_token": "YYYYYYYY...",
"id_token": "ZZZZZZZZ..."
}
- Finally, I try to refresh token doing the following POST:
POST /{tenant}/oauth2/token HTTP/1.1
Host: login.microsoftonline.com
User-Agent: PostmanRuntime/7.13.0
Accept: */*
Cache-Control: no-cache
grant_type:refresh_token
client_id:{client_id}
client_secret:{client_secret}
refresh_token:YYYYYYYY...
redirect_uri:https://myapplication.com
- But in this step, I get an error:
"error": "invalid_grant",
"error_description": "AADSTS70000: Provided grant is invalid or malformed.\r\nTrace ID: XXXX\r\nCorrelation ID: XXXXX\r\nTimestamp: 2019-05-31 09:35:39Z",
"error_codes": [
70000
],
"timestamp": "2019-05-31 09:35:39Z",
"trace_id": "XXXX",
"correlation_id": "XXXX"
}
I have checked with URL Encode, without URL encode, removing the client_secret and redirect_uri parameters and other things, but I always get the same error. Surely, I'm making a stupid and obvious mistake, but I don't see which one.
Upvotes: 2
Views: 5272
Answers (1)
Reputation: 22419
It seems you are trying to renew your access token using authorization code and refresh_token grant_type.
I have partially reproduce the error you encountered. As shown below:
Possible Reason Of Error:
- Though exact reason is unknown!
- I am presuming your pasted refresh token wasn't valid. In this case you may encountered this error.
- You have to paste the
refresh_tokenwhich you have got on previous steps as it is. be sure you did exactly.
Resolution Of Error:
I am sharing the exact way to achieve your goal. Please have a look the below steps
Step:1
I am using PostMan for this case. Please fire up the PostMan and click on Authorization tab also select Type as OAuth 2.0 finally click on Get New Access Token. See the below screen shot:
Step:2
When you would clicked Get New Access Token new window will be prompted just as given picture below. fill out this with your credentials.
Request Format:
https://login.microsoftonline.com/{TenantId/Name}/oauth2/authorize?client_id={applicationId}&response_type=code&redirect_uri={yourURI}&response_mode=query&scope={yourScope}
When you click Request Token button you will be prompt login window. Login with your credentials.
Step:3
Open your postman console before login like below:
Once your login successful. You would get your code.
Step:4
After successful login Go to postman console request body segment. Just open it and copy your code. See the screen shot below:
Step:5
Copy your code and and paste on authorization_code token request code textbox part. You would get your access_token refresh_token and id_token
Request Format:
client_id:{ApplicationId}
scope:{YourTokenScope}
redirect_uri:{YourAppURI}
grant_type:authorization_code
client_secret:{YourApplicationSecret}
code:{CodeOfPreviousStep}
Just like below way:
Step:6
This step copy your refresh token from previous stage (step 5) and paste on beside refresh_token textbox while requesting grant_type:refresh_token request. In response you would get your new access_token and refresh_token
Request Format:
client_id:{ApplicationId}
scope:{YourTokenScope}
redirect_uri:{YourAppURI}
grant_type:refresh_token
client_secret:{YourApplicationSecret}
refresh_token:{refresh_token Of Previous Step}
See the screen shot below:
Note
- Be sure you are coping exact
codeandrefresh token Scopeoptional for token renewal. You can renew your token without scope because your refresh token already contains your scope.
Upvotes: 0
Related Questions
- Azure AD Single Sign In - invalid_grant 9002313 when requesting token with code
- Azure AD OAuth2.0: I dont get a refresh token
- Azure - Obtain user refresh token fails
- Azure Graph API 2.0 error in refreshing token: Provided grant is invalid or malformed (AADSTS70000)
- SharePoint online OAuth2 token invalid_scope
- Refreshed OAuth2 token has invalid signature (Azure AD OAuth2)
- Azure AD OAuth token refresh gives error AADSTS50000
- Azure AD returns Authentication_ExpiredToken on valid access token
- Azure AD Oauth2 gives error after authorization request
- Azure AD: Authentication missing or malformed