Spent a few hours today smashing my face into a wall trying to capture an Oauth refresh token. I found a bunch of people running into the same error on the internets but no one seemed to explain what was going on in a way that made sense to me or was helpful. The error was getting was less than helpful. Below is the error in text output and a screen shot of what it looks like in fiddler
error_description=AADSTS70002: Error validating credentials. AADSTS70000: The provided access grant is invalid or malformed.
Trace ID: 4d834495-9197-4a44-9e3b-65ef719e0500
Correlation ID: 10fe8dd1-7bdc-4c7e-bdd1-fbba24e6eca8
Timestamp: 2017-11-07 12:44:46Z
Two parts of the error
The error is not one but two different errors, you can see the distinction better in the fiddler. The errors start with AADSTS – short for (Azure Active Directory Security Token Service) Which is the first hint of how to treat these errors. They are STS errors from azure. The errors are as follows:
- AADSTS70002: Error validating credentials. – The 70002 error is the first error and it’s a high level error indicating something was wrong with the authentication request presented to the STS endpoint
- AADSTS70000: The provided access grant is invalid or malformed. – The 70000 error is supposed to provide more details, it does not help much. In tells you two things could be wrong. 1. one of your tokens is bad, my bet is refresh – or 2- your URL is incorrect – my bet here is the reply URL does not 100% match what you configured in Azure.
My bets above are because those were the issues that appeared to come up the most in research, they are what the source code indicated when I drove down the error paths, and they are issues I was running into.
STS is picky about the data, and it should be it’s authenticating you, don’t want it to be all lazy let hackers in. When you make a request for authentication everything needs to be formated correctly. If you pop over here and scroll down to the Refreshing the Access tokens section you’ll find what needs to be present.
// Line breaks for legibility only
POST /{tenant}/oauth2/token HTTP/1.1
Host: https://login.microsoftonline.com
Content-Type: application/x-www-form-urlencoded
client_id=6731de76-14a6-49ae-97bc-6eba6914391e
&refresh_token=OAAABAAAAiL9Kn2Z27UubvWFPbm0gLWQJVzCTE9UkP3pSx1aXxUjq...
&grant_type=refresh_token
&resource=https%3A%2F%2Fservice.contoso.com%2F
&client_secret=JqQX2PNo9bpM0uEihUPzyrh // NOTE: Only required for web apps
Malformed – If anything is spelled incorrectly or out of place, like cleitn_id vs client_id or your redirect_url is https://localhost in the script but it’s to https://localhost/ with the slash on the end in Azure then you will get the AADSTS70000 error for being MALFORMED
Invalid – You get one chance to use your refresh token. If you refresh it incorrectly then the refresh token is invalid and you’ll need to obtain a new one other wise you’ll run into the error AADSTS70000 for having invalid tokens.
Git Example
I published a hacked together sample aplication that allows you to login with your credentials to generate the inital token, then it will extract the refresh token from intial login and store it in an XML file you can call in your applications to login without user prompts.
Git repository can be found here – https://github.com/wlkmmas/AzureRefreshToken