How do I mitigate "AADSTS7000215: Invalid client secret is provided" ?

Adarsh Kumar 1

Hi,
I'm trying to obtain token on:

I'm receive the error:

AADSTS7000215: Invalid client secret is provided

I am sure that client_secret is correct and not expired. Also, I encoded the client_secret to make sure special characters are properly passed.

I have used a new secret value as well but still getting the same error.

What can be the reason for such an error? And how do I resolve it ?

Request body:

POST /common/oauth2/v2.0/token
Host: login.microsoftonline.com

Content-Type: application/x-www-form-urlencoded

client_id=

6 answers

JamesTran-MSFT 36,371 Reputation points Microsoft Employee

2022-09-09T23:01:03.257+00:00

@Adarsh Kumar
Thank you for your post!

When it comes to your error message - AADSTS7000215: Invalid client secret provided, can you make sure that you're passing the client_secret using a web app or web API, it shouldn't be used in a native app, because client_secrets can't be reliably stored on devices. For more info - Get access and refresh tokens.

If you have any other questions, please let me know.
Thank you for your time and patience throughout this issue.
Please sign in to rate this answer.

1 person found this answer helpful.
Adarsh Kumar 1 Reputation point

2022-09-12T07:31:10.387+00:00

@JamesTran-MSFT , Thankyou for your response, we will reply with relevant details shortly. Also we will go through the link u gave us.

JamesTran-MSFT 36,371 Reputation points Microsoft Employee

2022-09-14T17:23:32.873+00:00

@Adarsh Kumar
I just wanted to check in and see if you were able to resolve this issue or if you're still having issues with the Invalid client secret?

If you have any other questions, please let me know.
Thank you for your time and patience throughout this issue.

JamesTran-MSFT 36,371 Reputation points Microsoft Employee

2022-09-16T18:43:52.123+00:00

@Adarsh Kumar
I just wanted to check in and see if you had any other questions or if you were able to resolve this issue? If you're still having issues can you share any documentation that you're following so I can gain a better understanding of your issue?

Thank you for your time and patience throughout this issue.
Sign in to comment
Javier Monleon Lopez 26 Reputation points

2022-11-21T08:12:58.097+00:00

Hello everyone!

We want to test a user/password authorization code flow with Cypress in our SPA.
The thing is the approach I found is using grant_type: password and therefore (I guess) sending the client_secret to https://login.microsoft.com/<TENANT_ID>/oauth2/v2.0/token

Our client_secret is correct but I am still receiving AADSTS7000215: Invalid client secret provided.

I understand you point @JamesTran-MSFT but how should I proceed then in such a specific scenario?

Here you can find an example:
is-there-a-way-to-programatically-login-to-using-azuread-with-cypress-on-pkce-fl
Please sign in to rate this answer.

1 person found this answer helpful.

0 comments No comments
Sign in to comment
Hussain Al-saady | S6 10 Reputation points

2023-06-22T09:31:45.3433333+00:00

Previous answer said:

Sam Cogan: The only time this error occurs is if the secret is wrong or expired. Do not encode the secret, it needs to be provided as is.

And I also found another reason: If you have a "+" (plus sign) inside your client secret. If you see that then just regenerate until you get a secret that doesn't have the plus sign.
Please sign in to rate this answer.

1 person found this answer helpful.

0 comments No comments
Sign in to comment
Sam Cogan 10,157 Reputation points MVP

2022-09-09T14:15:04.513+00:00

The only time this error occurs is if the secret is wrong or expired. Do not encode the secret, it needs to be provided as is.
Please sign in to rate this answer.
Adarsh Kumar 1 Reputation point

2022-09-12T07:32:38.243+00:00

It was giving error on newly generated keys as well , and we tired the encoded key only once.

Hussain Al-saady | S6 10 Reputation points

2023-06-22T09:31:08.77+00:00

You may have a "+" (plus sign) inside your secret, if so then you need to regenerate.

Aaron Newton 5 Reputation points

2023-09-22T11:55:17.84+00:00

I'm reviving this issue because something unusual seems to be happening here. Take a look at the output below. I've been encountering difficulties where I create a new service principal, rotate its credentials to obtain the password, and then attempt to log in immediately. It consistently fails, so I decided to add some debugging code similar to the following.

export TF_SP_CREDENTIALS="$(az ad sp credential reset --id ${TF_SP_ID})" export TF_SP_PASSWORD="$(echo $TF_SP_CREDENTIALS | jq -r '.password')" #### DEBUG! ### echo "Debug TF_SP_CREDENTIALS: ${TF_SP_CREDENTIALS}, TF_SP_PASSWORD: ${TF_SP_PASSWORD}, AZ_TENANT_ID: ${AZ_TENANT_ID}" export LOGIN_CMD="az login --service-principal -u '${TF_SP_APPLICATION_ID}' -p '${TF_SP_PASSWORD}' --tenant '${AZ_TENANT_ID}'" echo "LOGIN_CMD: ${LOGIN_CMD}" az logout eval ${LOGIN_CMD}

Following that, I proceeded to execute the command that was out. I invoked it three times using the 'history' command, i.e. I hit the up arrow to restore the last command and hit [Enter], and something quite perplexing occurred. It failed during the first attempt, then again during the second. However, almost miraculously, and without any additional actions on my part, it inexplicably succeeded on the third attempt.

It appears that these requests lack idempotence or could be experiencing eventual consistency issues, among other possibilities. I even attempted to introduce a ten-second delay between credential rotation and the login command, but that didn't yield any improvement. Any insights or assistance in understanding this behavior would be greatly appreciated. If the issue persists, I might need to implement a retry loop to mitigate it.

EDIT 1: a retry loop did in fact solve the problem. I have set -e at the start of the script, so providing an || sleep '3s' after the failing command ensured a successful outcome.

for i in {1..10}; do eval ${LOGIN_CMD} && break || echo "Failed attempt ${i}..." && sleep '3s'; done

There's probably some reasonable explanation for this, but as it stands, it's a fairly significant headache. I can see that the evaluated login command consistently fails on the first attempt every time, and then usually succeeds on the second or third attempt.
Sign in to comment
Chalermdej Lematavekul 0 Reputation points

2024-03-27T04:46:46.0566667+00:00

For anyone having this issue.

Please try to pass the Screct Value, not the Screct ID this should be visible when you create the secret. This solves the issue for me
Please sign in to rate this answer.

0 comments No comments
Sign in to comment