When I try to redeem an access code obtained as described here I keep getting a AADSTS70008 immediately.
The url I use to obtain the access code is shown below:
/<my-tenant-id>/oauth2/v2.0/authorize?client_id=<client-id-of-api-that-needs-to-call-other-api>&response_type=code&redirect_uri=http://localhost&response_mode=query&scope=api://<client-id-of-api-that-will-be-called-by-first-api>/user_impersonation offline_access
What am I missing here? I tried logging out and in the Azure portal, acquiring the access code via an incognito window, clearing browser cache, but all to no avail.
Funnily enough I managed to get a Bearer token once, but since I got a 401 when using it to authenticate with my sample api I tried to generate a new one which led to the problem described above.
When I try to redeem an access code obtained as described here I keep getting a AADSTS70008 immediately.
The url I use to obtain the access code is shown below:
https://login.microsoftonline/<my-tenant-id>/oauth2/v2.0/authorize?client_id=<client-id-of-api-that-needs-to-call-other-api>&response_type=code&redirect_uri=http://localhost&response_mode=query&scope=api://<client-id-of-api-that-will-be-called-by-first-api>/user_impersonation offline_access
What am I missing here? I tried logging out and in the Azure portal, acquiring the access code via an incognito window, clearing browser cache, but all to no avail.
Funnily enough I managed to get a Bearer token once, but since I got a 401 when using it to authenticate with my sample api I tried to generate a new one which led to the problem described above.
Share Improve this question edited Mar 19 at 9:58 Tiny Wang 16.5k2 gold badges18 silver badges38 bronze badges asked Mar 18 at 20:15 Andrea ScarcellaAndrea Scarcella 3,3432 gold badges23 silver badges26 bronze badges 3- Could you please include your complete error message and confirm whether your authorization code is expired or not? – Sridevi Commented Mar 19 at 6:05
- You are calling an secured asp core api according to the document. May I know whether the error comes from generating auth code or generating accecss tokne? Based on my test, it shall come from generating access token. – Tiny Wang Commented Mar 19 at 8:41
- 1 hi @TinyWang thank you for your answer and comments, I will process them, test your suggestion and get back to you asap. – Andrea Scarcella Commented Mar 20 at 23:54
1 Answer
Reset to default 0This is what I get from online about AADSTS70008
AADSTS70008: The provided authorization code or refresh token has expired due to inactivity. Send a new interactive authorization request for this user and resource."
It indicates taht the auth code you used is expired. At first, I thought you got trouble to get auth code, but I also tried your Url and I can get the auth code successfully. Therefore, I'm afraid you are trapped at obtaining access token instead of auth code. Please note, auth code could only be used for one time. When an access token is generated, that means the auth code is expired. However, what I get is AADSTS54005 error if I tried to generate the second access token with the same auth code.
Until around 10 mins later, I reproduced your error.
So that it indicate an expired auth code. What you need to do is generating a new auth code. You don't need to sign out and sign in again. Just in the same browser and visit the login URL again. Since you already signed in, it will redirect to microsoft identity platform and redirect back to http://localhost. Then using the new auth code to generate access token.
My test result. Tip, I failed to execute it with ' and I used ^ to split the rows.
curl -X POST https://login.microsoftonline/tenant_id/oauth2/v2.0/token ^
-d "client_id=client_id" ^
-d "scope=api://client_id/Tiny.Read" ^
-d "code=1.AWQAjJp.....aIV1o" ^
-d "redirect_uri=http://localhost/myapp/" ^
-d "grant_type=authorization_code" ^
-d "client_secret=client_secret"