I have the following error when using az cli to deploy an ARM template to Azure:
Get Token request returned http error: 400 and server response: {"error":"invalid_grant","error_description":"AADSTS50173: The provided grant has expired due to it being revoked. The user might have changed or reset their password. The grant was issued on '2018-06-18T10:02:34.3290000Z' and the TokensValidFrom date for this user is '2018-08-27T08:45:47.0000000Z'
Trace ID: *********-****-****-****-************
Correlation ID: ********-****-****-****-************
Timestamp: 2018-08-29 08:31:34Z","error_codes":[50173],"timestamp":"2018-08-29 08:31:34Z","trace_id":"********-****-****-****-************","correlation_id":"********-****-****-****-************"}
Looks like your login (token) has expired. Try to login again using:
az login
Related
I am following the tutorial here: https://learn.microsoft.com/en-us/sharepoint/dev/apis/webhooks/get-started-webhooks
I am having trouble finishing step 5. Postman always gives me this error and I am not sure why.
Troubleshooting details
If you contact your administrator, send this info to them.
Copy info to clipboard
Request Id: XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX
Correlation Id: XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX
Timestamp: 2022-11-18T09:34:11Z
Message: AADSTS650057: Invalid resource. The client has requested access to a resource which is not listed in the requested permissions in the client's application registration. Client app ID: XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX(Postman App). Resource value from request: https://<mysite>.sharepoint.com. Resource app ID: 00000003-0000-0ff1-ce00-000000000000. List of valid resources from app registration: fe7b6ec1-3281-4dd6-8864-dff33cd1021e, 00000003-0000-0000-c000-000000000000.
Flag sign-in errors for review: Enable flagging
If you plan on getting help for this problem, enable flagging and try to reproduce the error within 20 minutes. Flagged events make diagnostics available and are raised to admin attention.
00000003-0000-0000-c000-000000000000 is Graph.
fe7b6ec1-3281-4dd6-8864-dff33cd1021e is SharePoint Online Client Extensibility Web Application Principal Helper.
In the error it says the app id (00000003-0000-0ff1-ce00-000000000000) that I am trying to use and then lists the valid resources form my app. I can add another resource to the app and it will be listed there in the error message but I do not know how to add my specific resource to the list. Does anyone know how I can do that or if that is even what I need to be doing?
I tried to reproduce the same in my environment and got the results successfully like below:
I created an Multi-Tenant Azure AD application and consented the below API permissions:
To generate the access token, I used below parameters:
Grant Type : Authorization Code
Callback URL : redirect_uri
Auth URL : https://login.microsoftonline.com/common/oauth2/authorize?resource=https://TENANT.sharepoint.com
Access Token URL : https://login.microsoftonline.com/common/oauth2/v2.0/token
Client ID : CLIENTID
Client Secret : ClientSecret
Access token successfully generated like below:
To get Documents list Id click on Use Token and execute the query like below:
GET https://XXXX.sharepoint.com/_api/web/lists/getbytitle('Documents')?$select=Title,Id
I'm using Azure AD as my Identity Provider (IdP) and trying to connect Auth0 to it as a client. I've followed all the steps mentioned in
https://auth0.com/docs/connections/enterprise/azure-active-directory/v2
Redirection from Auth0 to Azure AD is working as expected. Login on Azure AD side is also showing a success in its log, however I'm getting and error at Auth0 side which says,
"Invalid client secret is provided"
I've double checked the client secret. Freshly generated it to eliminate possiblity of its expiry but still gettting this error.
Below is an error message payload.
"error": {
"message": "failed to obtain access token",
"oauthError": "invalid_request",
"type": "request-error",
"payload": "{
"error":"invalid_client","error_description":"AADSTS7000215: Invalid client secret is provided.
Trace ID: 52ea6301-3da2-46c7-b355-865dfff34c01
Correlation ID: 69415f95-1430-45eb-b653-3c76f934ccc0
Timestamp: 2021-11-29 05:11:57Z",
"error_codes":[7000215],
"timestamp":"2021-11-29 05:11:57Z",
"trace_id":"52ea6301-3da2-46c7-b355-865dfff34c01",
"correlation_id":"69415f95-1430-45eb-b653-3c76f934ccc0",
"error_uri":"https://login.microsoftonline.com/error?code=7000215"}"
},
Make sure you have copied client secret value and not the client secret ID.
Gave wrong value of client secret getting the same error as you.
Would Suggest you try with following parameter as I have set for authorization type OAuth2.0.
URL : https://login.microsoftonline.com/{tenantid}/oauth2/v2.0/token
Given the correct value of Client Secret and getting the access token.
Also, check that the Azure AD Client secret is not expired. Otherwise, generate a new one, then update it in the enterprise connection configured with Auth0.
In basic terms, I am trying to get an access token to get Azure Cost Centre Data through the Usage Details API. The problem is that I can't seem to configure my service principal with azure properly. I have:
Created the registered app in Azure Active Directory
added https://www.thunderclient.io/oauth/callback in the redirect URL
generated a client secret
Included the following information in my Generate New Token in Thunder Client:
Request URL:
GET: https://management.azure.com/subscriptions/{subscription-id}/resourceGroupName/{resourceGroupName}/providers/Microsoft.CostManagement/dimensions?api-version=2019-11-01
Grant Type: Authorization Code
Auth Url: https://login.mmicrosoftonline.com/common/oauthorize
Token Url: https://login.microsoft.com/{tenant-id}/oauth2/v2.0/authorize from app registration
callback Url: https://thunderclient.io/oauth/callback
client ID: {{client_id}} from app registration
client secret: {{client_secret}} from app registration
scope: user_impersonation
{
Status 401 Unauthorized
"error": {
"code": "AuthenticationFailed",
"message": Authentication failed."
}
}
Header:
Bearer authorization_uri "https://login.windows.net/{tenant_id}, error= "invalid_token", error description="Could not find identity for access token"
Answering my own question. And big thanks to Guarav Mantri in the comments below.
The Scope should be set to https://management.azure.com/.default
The Grant Type is client credentials and not authorization code
The service principal needs to be added to the resource in azure that is part of the request (i.e. if looking for subscription data, then add the service principal as a reader role to the subscription).
I am trying to deploy an ARM template for ADF using Azure DevOps CI/CD
The deployment was successful but while trying to test the linked services, I am not able to connect successfully.
The linked service is to get connected to the ADLS location under same subscription and the authentication method is using service principal and using key vault secret name to get the connection.
key vault is also under the same subscription and resource group.
While trying to connect the LS to ADLS location I am getting the below error.
Failed to get access token by using service principal. Error: invalid_client, Error Message: AADSTS7000215: Invalid client secret is provided.
Trace ID: 67d0e882-****-****-****-***6a0001
Correlation ID: 39051de7-****-****-****-****6402db04
Timestamp: 2020-11-** **:**:**Z Response status code does not indicate success: 401 (Unauthorized). {"error":"invalid_client","error_description":"AADSTS7000215: Invalid client secret is provided.\r\nTrace ID: 67d0e882-****-****-****-***6a0001\r\nCorrelation ID: 39051de7-****-****-****-****6402db04\r\nTimestamp: 2020-11-** **:**:**Z","error_codes":[7000215],"timestamp":"2020-11-** **:**:**Z","trace_id":"67d0e882-****-****-****-***6a0001","correlation_id":"39051de7-****-****-****-****6402db04","error_uri":"https://login.microsoftonline.com/error?code=7000215"}: Unknown error .
AADSTS7000215: Invalid client secret is provided.
The linked services which is to connect clusters are working fine for which connection secrets are stored in the same key vault.
I was confused some secrets(for cluster connection) in the same key vault is working and few (for adls connection) are not working.
Had a check for the application under same principal id in Azure active directory and secret is valid till 2022.
Any Idea about the root cause of the error and how to resolve the issue?
I have encountered a similar problem before, you need to make sure that the client secret belongs to the application you are using, or you can also try to create a new client secret, it should work for you.
My objective is to get access token for a user for a resource( an AD app present in the tenant)
I have been able to get access token for a service principal by using
az login --service-principal -u -p --tenant --allow-no-subscriptions
az account get-access-token --resource
Now when I try to achieve the same for a user by switching service-principal login by user login(az login)
az login
az account get-access-token --resource
This however gives an error
Get Token request returned http error: 400 and server response: {"error":"invalid_grant","error_description":"AADSTS65001: The user or administrator has not consented to use the application with ID 'abc'. Send an interactive authorization request for this user and resource.\r\nTrace ID: 19fdf309-f9ef-423b-8c18-7cd9269b0700\r\nr\nTimestamp: 2019-11-21 09:03:25Z","error_codes":[65001],"timestamp":"2019-11-21 09:03:25Z","trace_id":"19fdf309-f9ef-423b-8c18-7cd9269b0700","correlation_id":"2aafc4e4-0c1b-42b3-ba59-afe09bbe9fb5","suberror":"consent_required"}
Can someone help me understand why this is the case?
Thanks in advance!
You are trying to get token from <APP ID Uri> using Azure CLI, which client ID is exactly 04b07795-8ddb-461a-bbee-02f9e1bf7b46.
Go to the resource(App in AD)->Expose an API->Add client application with 04b07795-8ddb-461a-bbee-02f9e1bf7b46 and check scope.
Then get the access token again.