Getting invalid grant error when refreshing token

Sohayb Saleh 0 Reputation points
2023-04-03T12:49:01.5133333+00:00

I am building a system to connect my system account with Microsoft account to integrate the calendar.

I have successfully created an application in Microsoft Azure AD and connected the application to my system, the user can see a button and login to retrieve an access token with a refresh token.

I am obtaining the Microsoft user access token and refresh token successfully.

Then I used the access token to perform APIs like creating an event, however after a while (a day) maybe, when I try to refresh the token using the following request.


curl --location --request POST 'https://login.microsoftonline.com/common/oauth2/v2.0/token' \
--header 'Origin: http://localhost:4200' \
--header 'Authorization: Bearer EwCIA8l6BAAUAOyDv0l6PcCVu89kmzvqZmkWABkAAZLVtCsFA64WuHVPnZ0mBdBdSplrDHjCPzjCQjgURs1qR0hZolUxxGf6oL/5/Lc3RD/LZavbz8HHd0YvkgTweM5sT2wZQFKnumVUgfnmXfmj/KntCXEcVGinpy4KIzUYF6qTki2jpomovPlvZke8ELTmiz0tlT1/BDKuy8r87QazKq+oRGL8wmL8hv75WVVQR416T6t7kjxIPm0EBfzj2yQUzDAZ6TfM2kmVzMN+y/spMwRxleAp34fNVLWsC/qtBOM4LoHTWCB44sJihNvKkTYUrkXfFRsYJA9iHGKn9AwGrRipPwiTIPJQgyoqnAerGzBhmjJRa1dWuWuqdlaTytADZgAACOnZFItcZcTiWAKmHLLtW/dmMT/llurs50frEaZulc6+jjHEZlxFRLYev8HQJWnd4K6Z2H1jWtFyLCwWGr/eepBml2G8JVTnVWkuljL83GmcDWUG+sifXlYe0DmPL+rVAMFNBA01M5HRq58ktTsHoEOMpfNGCu6knfrYIpEGTyRV4tcHdmDQllQB7W3OdPzOZcQDR8IGY5YHbqLJaytSGlpPRkbIOtUDG83edzL7lfbBpcbJo8zOqWSQvVatsYLSV9yxC5pa+i5TQsoWZg77iaHQS9S49t7iiCjRhoMIFLJo5aWRbTbBRzL2mOkCNJEhRVijZ5RtJHQP+lkKbjMNXbTcNYZHhC6KQG7Lhfo/CNLEAE5iXEzYJ77Ss2lHaLjfpvkBEcTt/HUWPiNhlvs/x8d2NIted0NutEPwGCpdrRmRs1f1Q4XOXI0JeMfOKqBRRQFjGRGH2TcG+C2OSVdrz05lA8G5o/VwJzJhKJ/oovWssO3uyoLQ+CRCy95HwIF9xVNmQkEsNN7GTVlbU9f58bSLNoquCkLtaGGwE4RC4AcycI8ujhYVqucD+fuwD0My3FTs+0el6Tr6r1B3S9kM4oiqOmFTzW4NA29iKp7qt3+F1QjZ6JPspwFhYh8ujabNWP9FjQ1/PkbSiVpy12Iq0O7IqF+S5MP5lqV18bGahpRp0wHZk545WqUYuQe+OME1SNdvKsN8uyEpnzsdUFZVRsa8raD8An3ULn+69MckgdW1hfaR09rxrfOBWs3kMLZoluCGY3+N1AGnC0GirSrOeK24ET6OVClkSwZVs6+4ZE50fUCJAg==' \
--header 'Content-Type: application/x-www-form-urlencoded' \
--header 'Cookie: fpc=AhDVWlE6NztJuqGq2Z_Q19wCpqKBAQAAAFIattsOAAAA' \
--data-urlencode 'client_id=${client_id}' \
--data-urlencode 'scope=user.read calendars.readwrite offline_access openid profile' \
--data-urlencode 'refresh_token=M.R3_BL2.-CXO560cLzT3Rn8kSV5OvQcrydtlANQM4*XE0zRu1J966VFGv99Yys3vNTX2SF0WRvyZ*wrDZZexsr!rJdwT3aDb!p2YEPjSPq7ADCcU8leRs95s26bPTi0YN1YjanCeJ!K0NDFGaGPg9zftnu5DcuByoQqzVCwgI9x6FY1SjtOi3HjD2YzYhtyCqcWteQmGhdSUSO*PJnVW7s2CfVNQeaYfnsXI3iA35kHtTXbdb0bOHvr5!KOH2H0BhHlrsqdO5cNCsRmF7CDBRbmh9VvsXa3DZ5wK*cd2A2v04kdme2Wmn0IcT!JZljm06ydOaSa58c1JSUAW8HTv8Ejyn5sO0j9xCSzwrBpZ!CtgLuQmnNtlGj1dvtbdqSHvmbYGpuvxj0taFnt2qDZEWp47withOFpo$' \
--data-urlencode 'grant_type=refresh_token'

The request is working at first, but then it starts giving this error

And I have a daily Cron job to refresh the token.

{ error: 'invalid_grant', error_description: 'AADSTS70000: The user could not be authenticated as the grant is expired. The user must sign in again.\r\n' +   'Trace ID: 9ceeb2fa-43c9-4cc1-963a-4d06afd74101\r\n' +   'Correlation ID: 06e19037-67a1-47b8-9473-b41e2c4b0168\r\n' +   'Timestamp: 2023-03-29 09:05:30Z', error_codes: [ 70000 ], timestamp: '2023-03-29 09:05:30Z', trace_id: '9ceeb2fa-43c9-4cc1-963a-4d06afd74101', correlation_id: '06e19037-67a1-47b8-9473-b41e2c4b0168', error_uri: 'https://login.microsoftonline.com/error?code=70000' }

Am I missing something, is there a lifetime that I don't know about?

Is it just the user logging out?

Microsoft Graph
Microsoft Graph
A Microsoft programmability model that exposes REST APIs and client libraries to access data on Microsoft 365 services.
10,806 questions
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. Siddharth Gautam 855 Reputation points
    2023-04-03T17:31:12.3666667+00:00

    Hello Sohayb Saleh,

    Thanks for posting!

    As per the Microsoft documentation, the public refresh tokens are only bound to the granted device. For example, if you registered a Native app and use https://login.microsoftonline.com/common/oauth2/nativeclient as the redirect URI, we only guarantee that it can be refreshed on the same device. Clients running apps on services that span regions and devices such as Microsoft Azure should register a Web app with client secret. The redirect URI can be localhost but cannot be https://login.microsoftonline.com/common/oauth2/nativeclient. Even if you continuously refresh the token on the same device with the most recent refresh token, you should expect to start again and request user consent. Please refer the below link:

    https://learn.microsoft.com/en-us/advertising/guides/authentication-oauth-get-tokens?view=bingads-13#:~:text=Although%20refresh%20tokens,would%20be%20returned.

    Hope this helps.

    If the answer is helpful, please click Accept Answer and kindly upvote. If you have any further questions about this answer, please click Comment.