Authorization Endpoint Errors
This topic explains how to interpret and respond to errors that originate at the Azure AD authorization endpoint.
Errors that occurs at the Azure authorization endpoint are returned in two different ways. When the error is displayed on a web page, it uses an HTTP 200 status code. When a client application is available to handle the error, the endpoint uses an HTTP 302 redirect status code.
Here is a sample HTTP 302 error response from the Azure AD authorization when an authorization code request is missing the required response_type parameter.
GET HTTP/1.1 302 Found
Location: https://localhost/myapp/?error=invalid_request&error_description=AADSTS90014%3a+The+request+body+must+contain+the+following+parameter%3a+%27response_type%27.%0d%0aTrace+ID%3a+57f5cb47-2278-4802-a018-d05d9145daad%0d%0aCorrelation+ID%3a+570a9ed3-bf1d-40d1-81ae-63465cc25488%0d%0aTimestamp%3a+2013-12-31+05%3a51%3a35Z&state=D79E5777-702E-4260-9A62-37F75FF22CCE
Error Response Parameters
Client-handled error responses includes the following parameters.
Parameter |
Description |
---|---|
error |
An error code value defined in Section 5.2 of the OAuth 2.0 Authorization Framework. The next table describes the error codes that Azure AD returns. |
error_description |
A more detailed description of the error. This message is not intended to be end-user friendly. |
state |
Returns the state value from the request, if the request includes a state value. The state value is a randomly generated non-reused value that is sent in the request and returned in the response to prevent cross-site request forgery (CSRF) attacks. For more information, see Best Practices for OAuth 2.0 in Azure AD. |
Error Codes
The following table describes the error codes (error parameter values) that the Azure AD authorization endpoint returns.
Error code |
Description |
Client Action |
---|---|---|
invalid_request |
Protocol error, such as a missing required parameter. |
Fix and resubmit the request. For reference, use the protocol documentation and Authorization Code Grant Flow. This is a development error is typically caught during initial testing. |
unauthorized_client |
The client application is not permitted to request an authorization code. |
This usually occurs when the client application is not registered in Azure AD or is not added to the user's Azure AD tenant. The application can prompt the user with instruction for installing the application and adding it to Azure AD. For more information, see Application Access. |
access_denied |
Resource owner denied consent |
The client application can notify the user that it cannot proceed unless the user consents. |
unsupported_response_type |
The authorization server does not support the response type in the request. |
Fix and resubmit the request. For reference, use the protocol documentation and Authorization Code Grant Flow. This is a development error is typically caught during initial testing. |
server_error |
The server encountered an unexpected error. |
Retry the request. These errors can result from temporary conditions. The client application might explain to the user that its response is delayed due a temporary error. |
temporarily_unavailable |
The server is temporarily too busy to handle the request. |
Retry the request. The client application might explain to the user that its response is delayed due a temporary condition. |
invalid_resource |
The target resource is invalid because it does not exist, Azure AD cannot find it, or it is not correctly configured. |
This indicates the resource has not been configured in the tenant. The application can prompt the user with instruction for installing the application and adding it to Azure AD. For more information, see Application Access. |
See Also
Error Handling in OAuth 2.0
OAuth 2.0 in Azure AD
Token Issuance Endpoint Errors
Errors from Secured Resources
Best Practices for OAuth 2.0 in Azure AD