AADSTS7000215: Invalid client secret provided

Question

I'm trying to generate an OAuth authorization token using the following steps:

1. I already have an Azure app to which I'm the owner. Have a secret created already that is valid for another 24 months.
2. Generated the Auth code using the following step:

https://login.microsoftonline.com/<<Directory (tenant) ID>>/oauth2/v2.0/authorize?client_id=<<Application (client) ID>>&response_type=code&redirect_uri=https%3A%2F%2Flocalhost&response_mode=query&scope=offline_access%20Mail.ReadWrite%20Mail.send&state=12345644
When I access that URL after substituting the tenant and client IDs, I was prompted to enter the credentials of the email account that I want to access. I've authenticated there successfully and a response is returned with an authorization "code" in the URL of the browser.

1. From postman, I have then made a post call to this API with the following parameters:

Request Type: Post
Request URL: https://login.microsoftonline.com/<tenant id>/oauth2/v2.0/token
client_id: your client id --> Substituted the client ID
scope: offline_access Mail.Read
code: --> Substituted the code I got in step # 2
redirect_uri: https://localhost
grant_type: authorization_code
client_secret: --> Substituted the client secret "Value" (not the secret ID).

1. Step #3 was successful, first time when I created the secret. I got an auth token and then generated a refresh token, using which I could access the email. Surprisingly, after I rotated the secret (replaced the secret that worked with a new one) and repeated the steps above, step #3 ( generation of auth token) is failing with this error:

AADSTS7000215: Invalid client secret provided. Ensure the secret being sent in the request is the client secret value, not the client secret ID, for a secret added to app '7c37c5a4XXXx-XXXxxxXXx-'

1. I have repeated this several times using multiple secrets, with and without encoding the "code" and the "secret value", making sure there are no special characters like "=" or "+". But nothing worked. It looks like the refresh token that I generated first time is stuck some where and the new secret is being validated against that? Are there any other options that I can try?

Answer 1

Hi Swarna, Srinath (CAI - Atlanta),

I'm glad you were able to get this issue resolved and thank you for sharing your solution so that others in the community with similar questions can easily reference it! I'm adding to details to this post since we discussed this in a separate email.

The "invalid client secret" error typically occurs if the secret is invalid, expired, or has a special character in it.

You mentioned that you could successfully generate the token by modifying the sample Powershell script given in the Microsoft documentation in this link, but the same steps were not working from Postman.

This may have happened because in postman there is a dropdown option "Client Authentication" with "Send as Basic Auth header" or "Send client credentials in body". My understanding is that it should be set to "Send client credentials in body" since the authorization header is not allowed.

Since the Microsoft Q&A community has a policy that "The question author cannot accept their own answer. They can only accept answers by others (Opens in new window or tab)", I have reposted your solution in case you'd like to "Accept (Opens in new window or tab)" the answer.

If you have any other questions or are still running into more issues, please let me know.

Thank you again for your time and patience throughout this issue.

Please remember to "Accept Answer" if any answer/reply helped, so that others in the community facing similar issues can easily find the solution.