Azure API Management
An Azure service that provides a hybrid, multi-cloud management platform for APIs.
1,960 questions
Office365: Refreshing access token results with “AADSTS9002313” invalid_grant execption
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(211.20000000000002, 60%, 30%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EA%3C/text%3E%3C/svg%3E)
Akshath
1
Reputation point
From last couple of weeks we have few clients complaining that our app is auto revoking Office365 oauth every 1 hour. This is the typical behiviour as access token have validity of 1 hour, so our app is designed to auto refresh the access token using refresh token captured during oauth.
This seems to be not working for atleast few customers from last few weeks. Below exception is thrown back by Office365 token api - https://login.windows.net/common/oauth2/token
{"error":"invalid_grant","error_description":"AADSTS9002313: Invalid request. Request is malformed or invalid.\r\nTrace ID: 7f80c2c3-41bc-41bd-8304-b56969c83a00\r\nCorrelation ID: 5a08714a-1e7d-4f32-814d-146bc721e8ab\r\nTimestamp: 2020-10-12 05:42:11Z","error_codes":[9002313],"timestamp":"2020-10-12 05:42:11Z","trace_id":"7f80c2c3-41bc-41bd-8304-b56969c83a00","correlation_id":"5a08714a-1e7d-4f32-814d-146bc721e8ab","error_uri":"https://login.windows.net/error?code=9002313"}
Here, the error code '9002313' states there is some issue related to auth parameters especially 'client_id' of our azure app. (reference)
Below data is sent to fetch new access token
- client_id (related to azure app)
- client_secret (related to azure app)
- grant_type = 'refresh_token'
- refresh_token
Edit 1: Update token endpoint to v2.0
Request URI
POST https://login.microsoftonline.com/common/oauth2/v2.0/token
Request Body
client_id=<client-id>
&scope=https://outlook.office365.com/Calendars.ReadWrite https://outlook.office365.com/Contacts.ReadWrite https://outlook.office365.com/Mail.ReadWrite
&refresh_token=<refresh_token>
&grant_type=refresh_token
&client_secret=<client-secret>
Reponse Body
{"error":"invalid_grant","error_description":"AADSTS9002313: Invalid request. Request is malformed or invalid.\r\nTrace ID: 4447c69e-09d6-4a00-8dfe-735106d71200\r\nCorrelation ID: 1820e135-a511-4516-99d9-b6cebb342eb2\r\nTimestamp: 2020-10-13 03:39:37Z","error_codes":[9002313],"timestamp":"2020-10-13 03:39:37Z","trace_id":"4447c69e-09d6-4a00-8dfe-735106d71200","correlation_id":"1820e135-a511-4516-99d9-b6cebb342eb2","error_uri":"https://login.microsoftonline.com/error?code=9002313"}
{count} votes
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(304, 2%, 39%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESM%3C/text%3E%3C/svg%3E)
soumi-MSFT 11,766 Reputation points Microsoft Employee2020-10-14T08:45:42.957+00:00 Hello @Akshath , thank you for reaching out. I did check the request that hit the AAD from the backend logs for your request and I don't see a reason why AAD threw an invalid_grant error as the request looks good and I tested the same with Postman it worked for me.
I am trying to dig a little deeper into the logs and would get back to you soon with some more updates.
-
Alfredo Revilla - Upwork Top Talent | IAM SWE SWA 27,436 Reputation points2020-10-14T17:19:48.613+00:00 Can you manually obtain the refresh token and try one more time?
-
Akshath 1 Reputation point
2020-10-15T04:58:30.05+00:00 Hello @soumi-MSFT , thank you for the response. I will wait for your reply. This is kind of happening once my clients account was migrated from Office 365 to Microsoft 365. I am not sure if there is any dependencies related to this.
I did give a try changing all references to v2.0 endpoint, but still no luck.
-
Akshath 1 Reputation point
2020-10-15T04:59:29.633+00:00 @alfredo-revilla-msft I did try this using standalone scripts and as well as in Postman client. Still I am getting same error.
-
soumi-MSFT 11,766 Reputation points Microsoft Employee
2020-10-15T05:39:52.757+00:00 @Hello @Akshath , the easiest way to understand the point of failure would be to collect the Fiddler traces from a working and non-working client and then compare the traces to understand why in the non-working scenario that error is coming up.
I would request you to drop me an email on azcommunity[at]microsoft[dot]com with the following details:
- Subject: ATTN-soumi | URL of this post
- Azure AD Tenant ID:
- Azure Subscription ID:
Do mention a good time to connect with you so that we can help you collect the fiddler traces.
-
Akshath 1 Reputation point
2020-10-15T06:16:14.517+00:00 @soumi-MSFT I just sent an email with requested details. Looking forward for your reply.
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(316.8, 24%, 40%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EPL%3C/text%3E%3C/svg%3E)
Philippe Leblanc 1 Reputation point2021-04-16T15:23:52+00:00 Hi there, I got the same problem using a professional account and office 365. Any news from this feed ?
I am following the documentation and the standard practice. Is there something specific using Microsoft.
https://www.oauth.com/oauth2-servers/access-tokens/refreshing-access-tokens/
Sign in to comment