I am attempting to do the OAuth flow to get an access token and refresh token for my webapp. This app will read from all the users in an organization's calendars and do some syncing with our app.
I have configured on the Azure AD side a redirect URI for example (details obscured):
https://dev.myapp.com/user/hub/finish
Then in the Azure AD I set all required permission scopes:
- Calendars.Read
- Organization.Read.All
- User.Read.All
I have also created a client secret. To get the initial code I send a request to the following url:
https://login.microsoftonline.com/common/oauth2/v2.0/authorize?response_type=code&redirect_url=https%3A%2F%2Fdev.myapp.com%2Fuser%2Fhub%2Ffinish&response_mode=query&scope=offline_access%20https%3A%2F%2Fgraph.microsoft.com%2Fcalendars.read%20https%3A%2F%2Fgraph.microsoft.com%2Fuser.read.all%20https%3A%2F%2Fgraph.microsoft.com%2Forganization.read.all&client_id=my-client-id
This redirects to my site with a code in the url (after the auth). Then I attempt to exchange that code for an access token with a url-encoded form post to the endpoint below:
POST https://login.microsoftonline.com/common/oauth2/v2.0/token
client_id=my-client-id&client_secret=my-client-secret&code=Mca534c99-fe82-1693-93f9-28b942e79e8b&grant_type=authorization_code&redirect_uri=https%3A%2F%2Fdev.myapp.com%2Fuser%2Fhub%2Ffinish&scope=offline_access+https%3A%2F%2Fgraph.microsoft.com%2Fcalendars.read+https%3A%2F%2Fgraph.microsoft.com%2Fuser.read.all+https%3A%2F%2Fgraph.microsoft.com%2Forganization.read.all
As a response I get the following back:
Error:"invalid_grant", ErrorDescription:"AADSTS70000: The provided value for the 'redirect_uri' is not valid. The value must exactly match the redirect URI used to obtain the authorization code.\r\nTrace ID: 81a3cbc6-f642-4b17-bc42-1a5b558c0b01\r\nCorrelation ID: 7eabdc07-e23b-4fe7-840d-26f9a0d4e9f8\r\nTimestamp: 2020-01-28 17:32:30Z", ErrorCodes:[]int{70000}, Timestamp:model.Date{Time:time.Time{wall:0x0, ext:63715829550, loc:(*time.Location)(nil)}}, TraceId:"81a3cbc6-f642-4b17-bc42-1a5b558c0b01", CorrelationId:"7eabdc07-e23b-4fe7-840d-26f9a0d4e9f8
It isn't quite making sense to me why it is telling me the redirect_uri doesn't match when it is the same in both flows.