Microsoft Graph REST API invalid client secret

Asked 14/12, 2016 at 1:55 Answered 9/7, 2021 at 15:24

Solved azure curl office365api microsoft-graph-api azure-ad-graph-api

I have the following POST call I need to make. However, even if I provided the right client id and secret id, my call is getting rejected.

    curl POST https://login.microsoftonline.com/f02....e3/oauth2/token
 -H 'Content-Type: application/x-www-form-urlencoded'  --data 'grant_type=authorization_code&redirect_uri=https://requestb.in/ac&
source=https://graph.microsoft.com&client_id=1e1....-913d9
&client_secret=YmbSFYz.....4Uk=&scope=mail.read&code=AaAAA........on0a569'

This is the error I receive:

    curl: (6) Could not resolve host: POST
    {"error":"invalid_client","error_description":"AADSTS70002: 
Error validating credentials. AADSTS50012: Invalid client secret is
 provided.\r\nTrace ID: 78d...a2b\r\nCorrelation ID: 
01....ab2\r\nTimestamp: 2016-12-14 01:46:47Z","error_codes":[70002,50012],"timestamp":"2016-12-14 01:46:47Z","trace_id":"78d....a2b","correlation_id":"018.....ab2"}

How could I resolve this ?

EDIT: I am trying to achieve the second section(i.e getting token) in this documentation

Glaucescent answered 14/12, 2016 at 1:55 Comment(3)

Is your redirect_uri the same as the one you entered when you registered your app? – Cithara 14/12, 2016 at 2:54

yes it is. If they are different, is that a problem ? – Glaucescent 15/12, 2016 at 18:31

in that case it will say the wrong redirect_uri, not incorrect client secret. – Sienkiewicz 10/9, 2021 at 13:4

The post you provided is leveraging AAD V2 endpoint. But according your code snippet, you were using V1 endpoint https://login.microsoftonline.com/f02....e3/oauth2/token. For acquire access token via V1 endpoint, you can refer to https://graph.microsoft.io/en-us/docs/authorization/app_authorization for more details.

For the V2 authorization endpoint, you may check out the endpoints you are using:

GET https://login.microsoftonline.com/common/oauth2/v2.0/authorize?...

POST https://login.microsoftonline.com/common/oauth2/v2.0/token

And also it is required a v2.0 ad application:

This article assumes a v2.0 registration, so you'll register your app on the Application Registration Portal.

Oxytocin answered 15/12, 2016 at 7:47 Comment(14)

Thank you for explaining this. After I tried v2.0 for authorization code first, I found the following errors: AADSTS70001: Application '1e15...53d9' is not supported for this API version. – Glaucescent 15/12, 2016 at 18:23

It means that your AD application dose not support v2.0 endpoint. For registering a v2.0 application, you can refer to learn.microsoft.com/en-us/azure/active-directory/… – Oxytocin 16/12, 2016 at 1:12

as long as it can support both Office and Outlook, I can re configure the app to use v2. – Glaucescent 16/12, 2016 at 1:13

i am afraid that currently we cannot. – Oxytocin 16/12, 2016 at 1:14

I see. So I should use v1 if we want to access both outlook and office features. Right ? – Glaucescent 16/12, 2016 at 1:15

application in v2.0 also can support both. But as your current application is in v1.0, so you can flow graph.microsoft.io/en-us/docs/authorization/app_authorization to acquire the token. – Oxytocin 16/12, 2016 at 1:16

this is totally new application so I can re create one. – Glaucescent 16/12, 2016 at 2:15

I followed the instructions based on the links you provided to migrate our app to v2 and I was able to get authorization code but when I tried to aquire token using adal4j libarary I got this error "Authorization Code is malformed or invalid". I add an app at apps.dev.microsoft.com ( I generated password and public/private key) I added a redirect url that is not https for local dev't. authority= login.microsoftonline.com/common/oauth2/v2.0/token and I used the password as a client secret. Am not sure what I am did wrong. – Glaucescent 3/2, 2017 at 0:56

It seems to be more related with language and library, you can ask a new question with more detailed messages and your key code snippet. Thanks. – Oxytocin 3/2, 2017 at 1:44

I'll create a new question. Btw is the generated password the one i have to use in place of secret key ? – Glaucescent 3/2, 2017 at 3:31

Yes, although I am not familiar with Java, but here is a sample in adal4j's repo at github.com/AzureAD/azure-activedirectory-library-for-java/tree/…. – Oxytocin 3/2, 2017 at 5:12

May be first I can try retrieving the token w/o the library. POST login.microsoftonline.com/common/oauth2/v2.0/token what other parameters I need to use this ? only auth_code ? – Glaucescent 3/2, 2017 at 19:2

FYI: here is an auth code OAQABAAIAAADRNYRQ3dhRSrm-4K-adpCJAMyNuNyavRpTYznFxh2O7-09BgfxLwhxWBnosrUFsPSfkzp8xxRBwbhk8cZWPGAJRQsdoe87w_Aw024-kclN9z1eERgDB1nWQwEwIdmdpuCM_jQElGM9kgs8i9G-lO5582RiSNdODiFyjMvhZcF49MICBkJCp8tgUBXyMwDfgTFFjCl8LJw6o4YBWg6IG3oA1gG_zQCTh9CsPdxmZiRoYRzxWn6r3lifk033kSc9egZe0mAMvSlCPvMzNhzXb0UDNEIHWpjQPhDt1jfymW_Slkz4lhdSy-nzAmMa2h19NQKeiqCKK6uSKMvme0eJhyex1twPn8x4fIXgIL0G5tHqy3TKjQNRK-QiQd5R0HY6IPfis5Lr6Pc06uY3uYKl3eiDbr5kvJTNiltd6xck7Is4yGfeI-C1o_A8J8KLVu2L5MtAHtHgWw-D7NuozNeCm-9d45h7-pjCC4qCG_zOXPlhozoQi8GX_0w04I6CB4G3UNVnOVDSegUdglVoJR-ADfjPsfl1YLRTXcWpAZ6imx6rONu76ez – Glaucescent 3/2, 2017 at 19:17

xFQLxMCXLLiHdd8DWksQEPeQ04CafFumy4UBAxB09av2waTuop4bS0U0OqCmf1dt12aldP23U9CtzJqv2Xk5yVulMMepBSBsItQHZ7ujPTLORla195oL1ItftuyVi6huj75wBcIT9rK1vbDUgAA&session_state=b40c045e-e3ea-4f65-82e4-4e9d204d6be5 – Glaucescent 3/2, 2017 at 19:17

It was due to client_secret. It may contain special characters.

The encodeURIComponent() function encodes a URI component. This function encodes special characters. In addition, it encodes the following characters: , / ? : @ & = + $ #

Use the below one:

encodeURIComponent(client_secret);

Heatstroke answered 23/4, 2018 at 14:0 Comment(0)

In my case: in configs You have to use the client secret "Value", not ID. This Value is visible only when it is generated. So you can copy/paste it, in this moment.

See: https://learn.microsoft.com/en-us/answers/questions/370508/getting-34invalid-client-secret-is-provided34-erro.html

Proust answered 9/7, 2021 at 15:24 Comment(2)

People should look at this before anything else, this was my issue and it's so easy to copy the wrong field since everyone is used to copying whatever is on the far right of the screen during these setups. – Sneakers 23/8, 2021 at 20:0

Yes sure @Sneakers you are right. Effectively the MS gui is misleading. I also had to regenerate it. – Proust 25/8, 2021 at 12:8

I am using the npm package:

Microsoft Azure Active Directory Passport.js Plug-In

with the v1 tenant-specific endpoint.

I was initially receiving the same error message after successfully logging into Microsoft: "Invalid Client Secret".

I was using the "Application ID" as the Client Secret. Then I discovered that you need to go onto the "Settings" tab in the Microsoft Azure Portal

Microsoft Azure

and create a new "Key". It doesn't matter what you name the key. When you click the "Save" button, the value of the key will be filled in the web form. Copy this right away, since it will not be displayed again if the web page is refreshed.

This is the "Client Secret" that you need to add to your configuration.

Sarawak answered 2/2, 2017 at 23:48 Comment(0)

I hade the same problem today and with help of @muthu I sorted it out. When client secret is generated with app registration in azure. The secret is plain. But when to use it in the rest call you must urlencode it. Use an encoder like visual code or other. But it must be encoded else you ge the error

AADSTS7000215: Invalid client secret is provided.

Stamina answered 25/6, 2019 at 9:8 Comment(0)

You need to base 64 encode client_secret in the POST body.

For example (using curl):

# Authn details
LoginURL='https://login.microsoftonline.com'
TenantDomain='********.onmicrosoft.com'
ClientID='********'
ClientSecret='********'

# Endpoint details
Resource='https://graph.microsoft.com'
TenantGUID="********"

# Authenticate with OAuth v1
URL="$LoginURL/$TenantDomain/oauth2/token?api-version=1.0"
json=`
curl \
        -s \
        -k \
        -X POST \
        -H "Content-Type: application/x-www-form-urlencoded" \
        -u "$ClientID:$ClientSecret" \
        -d "grant_type=client_credentials" \
        -d "resource=$Resource" \
        -d "client_id=$ClientID" \
        --data-urlencode "client_secret=$ClientSecret" \
        $URL \
| python -m json.tool
`

access_token=`echo $json | python -c 'import sys, json; print json.load(sys.stdin)["access_token"]'`
token_type=`echo $json | python -c 'import sys, json; print json.load(sys.stdin)["token_type"]'`
#echo "access_token:$access_token"
#echo "token_type:$token_type:"

# Access resource
URL="$Resource/v1.0/directoryRoles/$TenantGUID/members"
curl \
        -s \
        -k \
        -X GET \
        -H "Content-Type: application/x-www-form-urlencoded" \
        -H "Authorization: $token_type $access_token" \
        $URL \
| python -m json.tool

Ertha answered 22/11, 2019 at 7:3 Comment(1)

Hi Paul, welcome to StackOverlfow and thanks for trying to help. However, answers with an explanation instead of only code have several advantages: They are more helpful for people who actually want to understand. They help fighting the misconception that StackOverflow is a free code-writing service. They better reflect your competence. They help verifying that the proposed solution makes sence, in case that it otherwise is non-obvious. Most of them mean that you are more likely to receive upvotes instead of downvotes. Would you like to harvest these benefits? – Goal 22/11, 2019 at 7:47

Hot tags

Godot Unity Godot Help Programming Godot 4.X GUI GDScript 3D 2D Physics CSharp Godot 3.X VR XR Projects C++

Recommended topics

Hot tags