AADSTS50012: Invalid client secret is provided when moving from a Test App to Production

S

8

24

I have two applications registered under the Azure Portal: a test version and a production version. My test App works fine with the Client Id and ClientSecret/AppKey that I got from the test app's detail from Azure Portal. However when I move to the production one as I replace the ClientId and Secret values with the one specified by the production App I registered, I suddenly get an error:

AdalServiceException: AADSTS70002: Error validating credentials. AADSTS50012: Invalid client secret is provided

But I'm fairly sure that my client secret is correct as I just copied and pasted from the Portal. Is there any solutions to this?

Shurlock answered 27/2, 2017 at 3:15 Comment(0)

H

14

Have you tried simply regenerating the secret?

The error here is pretty straightforward and I do not think it is a fault with AAD.

Let me know if this works out for you!

Hyponasty answered 27/2, 2017 at 20:14 Comment(2)

My problem was that my key from the Azure portal had expired. Generating a new one with a new expiration date fixed it. – Sharanshard 18/7, 2017 at 20:57

Not sure if this was implied here already, but I fixed this error by making a new secret key in Azure Active Directory for my client - not a key in Azure Key Vault, which threw me off. Azure Portal > Active Directory > App Registrations > (your app) > Settings > Keys. My key here was expired. – Iphigeniah 21/11, 2018 at 1:6

E

37

Encode your secret ( e.g. replace + by %2B , = by %3D etc)

Earthshine answered 21/11, 2017 at 7:16 Comment(5)

Thank you! My web app stopped working, even though the secret would be still valid for years. An extra urlencode() did the job for the PHP library being used (github.com/jumbojett/OpenID-Connect-PHP). – Retina 3/3, 2018 at 1:5

What about the space before and after + and =? Do we have to use %? – Avunculate 12/7, 2018 at 13:26

I just ran into this problem: It's perhaps worth emphasizing that the client_secret needs to be urlencoded/%- even if it's been sent as part of an HTTP Basic auth header where the whole thing will be base64-encoded anyway. – Assert 25/1, 2019 at 17:20

Yup looks like this is a URL encoding issue. I kept regenerating my client secret until I got one with mostly basic upper and lower case characters. It would be nice to know the exact encoding Microsoft is looking for. – Yeorgi 20/4, 2019 at 20:29

This saved the day! We were stuck in AzureDataFactory and replace helped. – Applicator 6/10, 2022 at 6:52

H

14

Have you tried simply regenerating the secret?

The error here is pretty straightforward and I do not think it is a fault with AAD.

Let me know if this works out for you!

Hyponasty answered 27/2, 2017 at 20:14 Comment(2)

My problem was that my key from the Azure portal had expired. Generating a new one with a new expiration date fixed it. – Sharanshard 18/7, 2017 at 20:57

Not sure if this was implied here already, but I fixed this error by making a new secret key in Azure Active Directory for my client - not a key in Azure Key Vault, which threw me off. Azure Portal > Active Directory > App Registrations > (your app) > Settings > Keys. My key here was expired. – Iphigeniah 21/11, 2018 at 1:6

S

11

This may sound stupid but as it happened to me, it could happen to someone else (as clueless as me): The code you need to use is not the one that says "Secret ID" but the one that says "value".

Shippy answered 1/9, 2022 at 18:36 Comment(2)

Yeap that's my case, i am stupid :D – Pictor 26/12, 2022 at 8:15

Thank you for this answer. Didn't happen to me but when another company sent us the app registration information I told my coworkers it was wrong and no one believed me (No one had tried using it yet and these were mostly non-tech people). This helped me prove to them it was the wrong value. It shouldn't look like a GUID!! =] – Sumerlin 18/7, 2023 at 12:49

D

3

The problem is the Expire time of the secret. With 6,12,18 months there is no problem, I am using azure-cli 2.26.0 With 24 months you get the error:

{"error":"invalid_client","error_description":"AADSTS7000215: Invalid client secret is provided.\r\nTrace ID: fef57aee-deeb-47fa-ae05-ba8427cd4300\r\nCorrelation ID: ba3cc2d5-1594-4af3-be2b-3b35e8d40e06\r\nTimestamp: 2021-10-23 18:18:27Z","error_codes":[7000215],"timestamp":"2021-10-23 18:18:27Z","trace_id":"fef57aee-deeb-47fa-ae05-ba8427cd4300","correlation_id":"ba3cc2d5-1594-4af3-be2b-3b35e8d40e06","error_uri":"https://login.microsoftonline.com/error?code=7000215"}

Ditchwater answered 23/10, 2021 at 18:22 Comment(0)

E

1

In my case I had 2 keys. I created a third one, that didn't work. Finally I removed all keys and created a new one, but, just one. Then it worked.

Eternity answered 30/10, 2018 at 17:3 Comment(2)

this is the only thing (out of other answers) that worked in 2022, thanks – Feverfew 7/7, 2022 at 0:0

Same here. This is a Microsoft bug – Tight 30/3, 2023 at 15:8

R

1

Maybe this will help some lost souls.

I had my secret setup in secrets.json at the beginning of the project, which I forgot. After the secret expired, I tried updating updated the appsettings.json to no avail, until I remembered and changed it in secrets.json. This was a test project run only locally. You could also have it in the env variables which also takes precedence over appsettings.

Rastus answered 26/8, 2022 at 11:47 Comment(1)

Thanks, I've been banging my head against this issue all weekend and this was the solution. – Biochemistry 13/3, 2023 at 10:35

P

0

I experienced this issue when working on deploying a docker image to a virtual machine on Azure using Azure DevOps.

My initial Azure DevOps pipeline script was:

- stage: Deploy
  displayName: Deploy to VM
  jobs:
    - job: Deploy_to_VM
      displayName: Deploy to Virtual Machine
      steps:
        - task: AzureCLI@2
          displayName: Connect to Azure and deploy
          inputs:
            azureSubscription: $(AzureSubscription)
            scriptType: 'bash'
            scriptLocation: 'inlineScript'
            inlineScript: 'az vm run-command invoke -g $(rGroup) -n $(vmName) --command-id RunShellScript --scripts "docker pull $(containerRegistry).azurecr.io/$(imageName):$(tag) && docker service update --replicas=1 --force --image $(containerRegistry).azurecr.io/$(imageName):$(tag) $(imageName)_app"'

Here's how I fixed it:

Adding the command az acr login --name $(containerRegistry) to the az vm run-command did the trick`

- stage: Deploy
  displayName: Deploy to VM
  jobs:
    - job: Deploy_to_VM
      displayName: Deploy to Virtual Machine
      steps:
        - task: AzureCLI@2
          displayName: Connect to Azure and deploy
          inputs:
            azureSubscription: $(AzureSubscription)
            scriptType: 'bash'
            scriptLocation: 'inlineScript'
            inlineScript: 'az vm run-command invoke -g $(rGroup) -n $(vmName) --command-id RunShellScript --scripts "az acr login --name $(containerRegistry) && docker pull $(containerRegistry).azurecr.io/$(imageName):$(tag) && docker service update --replicas=1 --force --image $(containerRegistry).azurecr.io/$(imageName):$(tag) $(imageName)_app"'

Pinon answered 25/5, 2023 at 20:11 Comment(0)

D

-1

Please check you tenant Id and audience id from your config. You may still have a reference to the test environment.

Determinate answered 27/2, 2017 at 6:10 Comment(2)

The tenant Id is the same as I'm using the same directory. And I don't have an audience Id so I don't think that would be the problem either – Shurlock 27/2, 2017 at 9:48

If you can post your code or some screenshots, then it would be clearer to see what happened. – Determinate 27/2, 2017 at 9:51

Recommended topics

Hot tags