Share via

Confusing error message on failed refresh token request

Simon Lieschke 21 Reputation points
2020-12-09T21:55:13.387+00:00

I'm building a SPA that's using the oidc-client JavaScript library to authenticate to Azure AD using the OAuth 2.0 authorization code flow with PKCE to obtain an access token to use a custom (Java) API.

In order to be able to validate the access token I created a custom scope as explained under the Problem 1: Azure AD returns invalid JWT access token section at Making Azure AD OIDC Compliant and provided it to the oidc-client library so it is included when authorizing. I got authorizing and requesting initial access and refresh tokens all working as expected.

However when refreshing an access token using the /{tenant}/oauth2/v2.0/token resource I received a 400 Bad Request response containing this error message: 

   AADSTS90009: Application 'redacted-client-id'(redacted-client-id) is requesting a token for itself. This scenario is supported only if resource is specified using the GUID based App Identifier.

Eventually I found I could successfully refresh the access token by supplying a scope parameter with my custom scope based on it being marked as required for /{tenant}/oauth2/v2.0/token requests to refresh the access token. Is this is what would be expected to fix the problem? I've been confused because the error message talks about specifying a resource, and doesn't make any mention of a scope.

Microsoft Security | Microsoft Entra | Microsoft Entra ID
0 comments

3 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Simon Lieschke 21 Reputation points
    2021-06-03T19:54:47.007+00:00

    I see the documentation at https://learn.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-auth-code-flow#refresh-the-access-token has changed to now say the scope parameter is optional, yet I still get the same error from my original post if I do not supply a scope parameter. If the parameter is intended to be optional, why am I still getting the same error when I don't provide it?

    3 people found this answer helpful.
    0 comments
  2. Simon Lieschke 21 Reputation points
    2020-12-10T16:43:39.593+00:00

    Thanks @Vipul Sparsh for confirming that the scope is indeed expected in this case. Can the error message returned please be improved to mention "scope" instead of "resource" when using Microsoft Identity Platform endpoints to avoid confusion for others in the future? It looks like "resource" is only applicable when using the older Azure AD v1.0 endpoints as documented here.

    As requested, here is the request made that triggered the error in question: 

       POST https://login.microsoftonline.com/[redacted-tenant-id]/oauth2/v2.0/token HTTP/1.1  
   Host: login.microsoftonline.com  
   Connection: keep-alive  
   Content-Length: 1318  
   User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36  
   Content-Type: application/x-www-form-urlencoded  
   Accept: */*  
   Origin: [redacted]  
   Sec-Fetch-Site: cross-site  
   Sec-Fetch-Mode: cors  
   Sec-Fetch-Dest: empty  
   Referer: [redacted]  
   Accept-Encoding: gzip, deflate, br  
   Accept-Language: en-CA,en;q=0.9  
     
   request_type=si%3As&refresh_token=[omitted]&grant_type=refresh_token&client_id=[redacted]

    1 person found this answer helpful.
    0 comments
  3. Vipul Sparsh 16,336 Reputation points Microsoft Employee Moderator
    2020-12-10T12:01:21.83+00:00

    @Simon Lieschke Thanks for reaching out.

    Can you share the request you are sending when you got that error message.
    When you use V2 endpoint , it is mandatory to send the scope parameter specify the permission you are requesting.
    You can read more here

    46975-image.png

    ==========================================================================================================

    If the suggested response helped you resolve your issue, please do not forget to accept the response as Answer and "Up-Vote" for the answer that helped you for benefit of the community.

    1 person found this answer helpful.
    0 comments

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.