Receiving error AADSTS7000215 when generating oauth token.

Mradul Maheshwari 5 Reputation points
2023-04-28T10:15:14.1266667+00:00

Hello,

In our code we perform the following

  1. Create an App Registration in Azure Active Directory
  2. Create the service principal for the app
  3. Create a secret for the App

Then using the appId and secret we generate oauth token. While generating the oauth token I am getting the error

--------------------------------------------------------------------------------                    
{                                                                                                   
  "error": "invalid_client",                                                                        
  "error_description": "AADSTS7000215: Invalid client secret provided. Ensure the secret being sent in the request is the client secret value, not the client secret ID, for a secret added to app '24a9c109-0635-4718-9e4d-08b5a7eb82c9'.\r\nTrace ID: 53e865df-c508-4d02-9187-8e186f228400\r\nCorrelation ID: 630ccd43-0032-45f5-a3e4-11a431696d5f\r\nTimestamp: 2023-04-27 23:48:42Z",
  "error_codes": [                                                                                  
    7000215                                                                                         
  ],                                                                                                
  "timestamp": "2023-04-27 23:48:42Z",                                                              
  "trace_id": "53e865df-c508-4d02-9187-8e186f228400",                                               
  "correlation_id": "630ccd43-0032-45f5-a3e4-11a431696d5f",                                         
  "error_uri": "https://login.microsoftonline.com/error?code=7000215"                               
}                                                                                                   
--------------------------------------------------------------------------------

The time line of events are as follows

At time 2023-04-27T23:48:26.525Z The secret was created.

At time 2023-04-27T23:48:32.315Z (~5sec delay after the secret was created) I tried to fetch the token, but it failed with error AADSTS700016. This error is treated as a retryable error, hence the client tries next time

At time 2023-04-27T23:48:42.554Z (~ 10sec delay after the 2nd request), this time the request failed with AADSTS7000215.

I can confirm that I am passing the secret and not the secret ID in the request.

We set an expiration time of 24 months on the secret.

We use golang sdk to perform all the operations. To get the token we are using (github.com/Azure/azure-sdk-for-go/sdk/azidentity) this package.

Questions:

  1. Should this error code AADSTS7000215 be also treated as a retryable error code?
  2. Does it take time for the Azure system to sync the secret too? In case of App registrations we have seen that it takes time for the App/service principal to sync in the system and hence we are treating error code AADSTS700016 as retryable.
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
21,452 questions
{count} votes

1 answer

Sort by: Most helpful
  1. Shweta Mathur 29,741 Reputation points Microsoft Employee
    2023-05-02T08:31:33.6533333+00:00

    Hi @Mradul Maheshwari ,

    Thanks for reaching out.

    Could you please confirm when you are saying 'Create the service principal for the app'?

    When we register the application in portal, its service principal has been created automatically which you can check with same application name by navigating to Enterprise application in Azure Active DIrectory .

    As you are getting two different errors on retry AADSTS7000215 - Invalid client secret is provided and AADSTS700016- UnauthorizedClient_DoesNotMatchRequest which seems authentication parameters are not passed correctly.

    These errors are not considered a retryable error, and you should try to register a new application with the new client secret to authenticate the application.

    Hope this will help.

    Thanks,

    Shweta

    Please remember to "Accept Answer" if answer helped you.


Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.