Invalid Grant (Error Code 70000) refreshing token Azure AD

1
votes

I'm using Azure AD login to obtain an access token and be able to do a request to SharePoint Online using its API REST.

I am able to get this access token but, when I try to get the refresh token, I get an error.

In this moment I am testing this using Postman.

I am doing the following:

  • I start calling the next URL to get the code:
https://login.microsoftonline.com/{tenant}/oauth2/authorize?client_id={client_id}&client_secret={client_secret}&response_type=code
  • When I receive the code, I do the following POST:
POST /{tenant}/oauth2/token HTTP/1.1
Host: login.microsoftonline.com
User-Agent: PostmanRuntime/7.13.0
Accept: */*
Cache-Control: no-cache

grant_type:authorization_code
client_id:{client_id}
client_secret:{client_secret}
code:{code_generated_previous_request}
redirect_uri:https://myapplication.com
resource:https://{mycompany}.sharepoint.com/
  • I receive this response:
{
    "token_type": "Bearer",
    "scope": "AllSites.FullControl Directory.ReadWrite.All Group.ReadWrite.All Sites.FullControl.All Sites.Read.All User.Invite.All User.Read.All User.ReadWrite.All",
    "expires_in": "3599",
    "ext_expires_in": "3599",
    "expires_on": "1559291698",
    "not_before": "1559287798",
    "resource": "https://{mycompany}.sharepoint.com/",
    "access_token": "XXXXXXXX...",
    "refresh_token": "YYYYYYYY...",
    "id_token": "ZZZZZZZZ..."
}
  • Finally, I try to refresh token doing the following POST:
POST /{tenant}/oauth2/token HTTP/1.1
Host: login.microsoftonline.com
User-Agent: PostmanRuntime/7.13.0
Accept: */*
Cache-Control: no-cache
grant_type:refresh_token
client_id:{client_id}
client_secret:{client_secret}
refresh_token:YYYYYYYY...
redirect_uri:https://myapplication.com
  • But in this step, I get an error:
    "error": "invalid_grant",
    "error_description": "AADSTS70000: Provided grant is invalid or malformed.\r\nTrace ID: XXXX\r\nCorrelation ID: XXXXX\r\nTimestamp: 2019-05-31 09:35:39Z",
    "error_codes": [
        70000
    ],
    "timestamp": "2019-05-31 09:35:39Z",
    "trace_id": "XXXX",
    "correlation_id": "XXXX"
}

I have checked with URL Encode, without URL encode, removing the client_secret and redirect_uri parameters and other things, but I always get the same error. Surely, I'm making a stupid and obvious mistake, but I don't see which one.

1
azurepostloginoauth-2.0azure-active-directory
Hi did my answer worked for you? - Md Farid Uddin Kiron

1 Answers

0
votes

It seems you are trying to renew your access token using authorization code and refresh_token grant_type.

I have partially reproduce the error you encountered. As shown below:

enter image description here

Possible Reason Of Error:

  1. Though exact reason is unknown!
  2. I am presuming your pasted refresh token wasn't valid. In this case you may encountered this error.
  3. You have to paste the refresh_token which you have got on previous steps as it is. be sure you did exactly.

Resolution Of Error:

I am sharing the exact way to achieve your goal. Please have a look the below steps

Step:1

I am using PostMan for this case. Please fire up the PostMan and click on Authorization tab also select Type as OAuth 2.0 finally click on Get New Access Token. See the below screen shot:

enter image description here

Step:2

When you would clicked Get New Access Token new window will be prompted just as given picture below. fill out this with your credentials.

Request Format:

https://login.microsoftonline.com/{TenantId/Name}/oauth2/authorize?client_id={applicationId}&response_type=code&redirect_uri={yourURI}&response_mode=query&scope={yourScope}

enter image description here

When you click Request Token button you will be prompt login window. Login with your credentials.

Step:3

Open your postman console before login like below:

enter image description here

Once your login successful. You would get your code.

enter image description here

Step:4

After successful login Go to postman console request body segment. Just open it and copy your code. See the screen shot below:

enter image description here

Step:5

Copy your code and and paste on authorization_code token request code textbox part. You would get your access_token refresh_token and id_token

Request Format:

client_id:{ApplicationId}

scope:{YourTokenScope}

redirect_uri:{YourAppURI}

grant_type:authorization_code

client_secret:{YourApplicationSecret}

code:{CodeOfPreviousStep}

Just like below way:

enter image description here

Step:6

This step copy your refresh token from previous stage (step 5) and paste on beside refresh_token textbox while requesting grant_type:refresh_token request. In response you would get your new access_token and refresh_token

Request Format:

client_id:{ApplicationId}

scope:{YourTokenScope}

redirect_uri:{YourAppURI}

grant_type:refresh_token

client_secret:{YourApplicationSecret}

refresh_token:{refresh_token Of Previous Step}

See the screen shot below:

enter image description here

Note

  1. Be sure you are coping exact code and refresh token
  2. Scope optional for token renewal. You can renew your token without scope because your refresh token already contains your scope.