Share via

How to fix AADSTS90023: The request is not valid. The refresh token used contains only policy offers

Daniel Gralewski 0 Reputation points
2024-07-17T12:46:30.26+00:00

We have an App in our Azure tenancy that is used for oauth authz code flow so that our customers grant our app access to their data. It works fine in our tests and with our own Azure users, but when one of our customers use it the refresh toke flow fails with the following error:

AADSTS90023: The request is not valid. The refresh token used contains only policy offers and the scope parameter is not specified. Specify the scope parameter when using a refresh token associated with a policy offer. Trace ID: f46145a0-9024-400b-a304-effd0a29c700 Correlation ID: 833ea1e2-10ab-4bb7-8dd3-55ea5959b9f6 Timestamp: 2024-07-03 19:38:19Z\',\'error_codes\':[90023],\'timestamp\':\'2024-07-03 19:38:19Z\',\'trace_id\':\'f46145a0-9024-400b-a304-effd0a29c700\',\'correlation_id\':\'833ea1e2-10ab-4bb7-8dd3-55ea5959b9f6\'}

It is not clear what "policy offer" is in this context. Any ideas how to get this problem fixed?

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
22,069 questions

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Navya 11,790 Reputation points Microsoft Vendor
    2024-07-18T07:46:07.98+00:00

    Hi @Daniel Gralewski

    Thank you for posting this in Microsoft Q&A.

    I understand you're using OAuth authorization code flow and can obtain a token, but when using the refresh token, it fails with the error "AADSTS90023: The request is not valid. The refresh token used contains only policy offers and the scope parameter is not specified."

    The error code AADSTS90023 indicates an Invalid Request, meaning the authentication service request is not valid.

    The access token obtained through the authorization code flow is issued for a specific user and contains information about that user, such as their identity and the permissions they have granted to the client application same user can be able to get refresh token.

    You can do so by submitting another POST request to the /token endpoint. Provide the refresh_token instead of the code

    To understand the issue better please share the steps you are taking, such as how you created the application and which HTTP your customer is using to get the tokens and refresh token.

    Meanwhile can you please check the scopes which you are using for refresh token. scopes requested in the refresh token must be equivalent to or a subset of the scopes requested in the original authorization_code request.

    For your reference: https://learn.microsoft.com/en-us/entra/identity-platform/v2-oauth2-auth-code-flow

    Hope this helps. Do let us know if you any further queries.

    Thanks,

    Navya.

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.