List of reasons that this error can occur: OAuth2::Error, invalid_grant: AADSTS65001

1
votes

We have implemented Microsoft Azure oauth2 on our web app, and we are trying to address common errors that users have when using that oauth method.

The error: OAuth2::Error, invalid_grant: AADSTS65001: No permission to access user information is configured for '...' application, or it is expired or revoked. resembles about 82% of our errors with the azure oauth flow.

Here's our configuration:

# ==> Office 365 OAuth2
config.omniauth :azure_oauth2,
  client_id: '...',
  client_secret: '...',
  tenant_id: '...',
  resource: 'https://outlook.office365.com/',
  setup: lambda { |env|
    params = Rack::Utils.parse_query(env['QUERY_STRING'])
    options = env['omniauth.strategy'].options

    case params['state']
    when 'calendar'
      options[:prompt] = 'login'
    when 'select_account'
      options[:prompt] = 'login'
    end 
  }

We know that this error can be caused from using a non Office 365 account. Since our resource is 'https://outlook.office365.com/', and because our app needs to be able to interact with your calendar, the user must authenticate with an office 365 account. Some other account like a microsoft live account will cause this error.

QUESTIONS

1 - what else might cause this error?

2 - Is there a way to limit the azure oauth flow to only allow true office 365 logins?

1
azureoauth-2.0office365

1 Answers

0
votes

The reason is: If a user got locked out and had to reset his password or any other invalid tries to login to Azure AD (Which authenticates users against o365) will invalidate the refresh token that your app has. therefore, an application will handle the changed password (old refresh token) gracefully by throwing this error. In this case, you app should redirect the user to the authorization page to authenticate the user.

Hope this helps.