Invalid client secret provided

Question

We have been accessing the tables created in the hive metastore until some time back. Recently, the app registration secret expired due to which we got an error message that the token (app registration) has expired. We created a new client secret for this purpose and registered the newly created secret in the key vault. After that, we tried accessing the tables and this time we got a new error message that is either misleading or do not know where the secret is being referenced. We ensured that we entered the secret value and not the secret id as the error message suggests. We even tried unmounting and mounting the data lake. We appreciate any kind of help and support in this regard. The latest error message is as below:

summary: Error in SQL statement: ExecutionException: HTTP Error 401; url='https://login.microsoftonline.com/<>/oauth2/token' AADToken: HTTP connection to https://login.microsoftonline.com/<>/oauth2/token failed for getting token from AzureAD; contentType='application/json; charset=utf-8'; response '{"error":"invalid_client","error_description":"AADSTS7000215: Invalid client secret provided. Ensure the secret being sent in the request is the client secret value, not the client secret ID, for a secret added to app '<>'

Invalid client secret provided. Ensure the secret being sent in the request is the client secret value, not the client secret ID, for a secret added to app

Answer 1

Hi @Yashovardhan Mopur ,

Thanks for your post! As you correctly noted, the error message "AADSTS7000215: Invalid client secret provided." means that the client secret is incorrect or expired either in the app registration or in a different reference.

To resolve this issue, you should validate that your app registration has the correct value recorded for the client secret and ensure that all of the following values are correctly configured:

Then, since you are using Key Vault, you need to create a secret with a name of your choice in the Key Vault and copy the client secret from the app registration into the “value” field of the Key Vault secret. https://learn.microsoft.com/en-us/azure/databricks/sql/admin/data-access-configuration#--configure-a-service-principal

See example:

PUT https://myvault.vault.azure.net//secrets/crpsecret?api-version=7.4

{
  "value": "mysecretvalue"
}

If you have already done these steps and verified that the client secret in the app registrations matches the value field in the Key Vault secret, you can troubleshoot the following:

1. Verify that the unexpired secret's expiration date is reflecting properly. You can check the expiration date of the client secret in the Azure portal and generate a new secret if it has expired.
2. Ensure that the client secret is not being modified or corrupted during copy-pasting. Sometimes extra spaces or characters can be added while copying the client secret. Validate that the client secret is copied correctly and without any extra characters.
3. Check if the client secret is being referenced correctly in all of your config settings. Ensure that the client secret is being referenced by its value and not its ID.

If none of the above steps work, please provide more information about and screenshots of your app registration so that I can assist you better.

If you would prefer, you can reach out to me at AzCommunity@microsoft.com ("Attn: Marilee Turscak") and include your subscription ID and a link to this thread.

Additionally, there are some good external resources on the databricks forums: https://community.databricks.com/s/question/0D53f00001lvKfHCAU/how-do-i-configure-an-azure-databricks-external-metastore-to-use-a-service-principal-rather-than-a-sql-user-for-authentication

If the information helped you, please Accept the answer. This will help us as well as others in the community who may be researching similar information.

Answer 2

I’m trying to connect to a mailbox to read the emails through my Azure app registration.

I could do this very smoothly first time and could access the mailbox successfully. However, with the new secrets,  I’m unable to generate the auth token using the authorization code that was returned after authenticating with the mailbox that I want to read.

I’ve repeated this with several secrets but there’s no luck. I’ve tried everything that was mentioned in this article. I keep getting the error that the client_secret that I’m using is incorrect. 

Steps I followed:

1.	Generate the authorization code using the following HTTP call after replacing the Tenant_ID, from browser. Signed into the account that I want to access and read, when prompted for login.

https://login.microsoftonline.com/<tenant_id>/oauth2/v2.0/authorize?client_id=<client-id>&response_type=code&redirect_uri=https%3A%2F%2Flogin.microsoftonline.com%2Fcommon%2Foauth2%2Fnativeclient&response_mode=query&scope=offline_access%20Mail.Read&state=12345644

2.	Make a POST call from Postman to “https://login.microsoftonline.com/<Token_ID>/oauth2/v2.0/token using the code from step-1 and the following parameters.
Client_id: <Client id>
Scope:  offline_access Mail.Read
Code: <Code from response from step1>
Redirect_uri: https://login.microsoftonline.com/common/oauth2/nativeclient
Grant_type: authorization_code
Client_secret: <Value of newly created secret>

3.	I get the following error message:
{
    "error": "invalid_client",
    "error_description": "AADSTS7000215: Invalid client secret provided. Ensure the secret being sent in the request is the client secret value, not the client secret ID, for a secret added to app '7c37c5a4-7cb4-4160-8b0c-08f8c13c3bda'. Trace ID: 630d6d59-b48e-4b76-946a-27cb42fdf403 Correlation ID: 4644d033-006a-4c03-a137-d4187c3afb31 Timestamp: 2024-01-07 04:25:03Z",
    "error_codes": [
        7000215
    ],
    "timestamp": "2024-01-07 04:25:03Z",
    "trace_id": "630d6d59-b48e-4b76-946a-27cb42fdf403",
    "correlation_id": "4644d033-006a-4c03-a137-d4187c3afb31",
    "error_uri": https://login.microsoftonline.com/error?code=7000215
}

Same steps were successful, the first time.