OAuth2 Authorization code was already redeemed

Huang Chao 26 Reputation points
2021-03-12T08:52:14.977+00:00

AADSTS54005: OAuth2 Authorization code was already redeemed, please retry with a new valid code or use an existing refresh token. Trace ID: 46d60227-a196-4a10-96b1-dff84a843400 Correlation ID: 8d6ce73f-e8b1-4630-a75f-61d8f30eeb93 Timestamp: 2021-03-12 08:28:33Z my web app has been working fine for 2 years. It's not working now. this is my code

url = "https://login.microsoftonline.com/{TID}/oauth2/token".format( TID=MYTID, )
data = requests.post(url, data={ 'client_id': CLIENT_ID, 'client_secret': my_secrete, 'code': token, 'grant_type': 'authorization_code', "redirect_uri": REDIRECT_URI, 'resource': APPID_URI, })
return data.json()

does any one have any idea about this?

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,454 questions
0 comments
Accepted answer
  1. Siva-kumar-selvaraj 15,546 Reputation points
    2021-03-16T14:08:33.047+00:00

    Hello @Huang Chao ,

    This behavior is to be expected when your application reuses authorization codes to get tokens. I would recommend you to revisit your code and see if your application reuses code.

    If your app reuses authorization codes to get tokens for multiple resources, we recommend that you use the code to get a refresh token, and then use that refresh token to acquire additional tokens for other resources. Authorization codes can only be used once, but refresh tokens can be used multiple times across multiple resources. Any new app that attempts to reuse an authentication code during the OAuth code flow will get an invalid_grant error AADSTS54005: OAuth2 Authorization code was already redeemed.

    For more information, read this (article](https://learn.microsoft.com/en-us/azure/active-directory/develop/reference-breaking-changes#authorization-codes-can-no-longer-be-reused)

    Regards,
    Siva Kumar Selvaraj

    1 person found this answer helpful.

6 additional answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Bouwer 5 Reputation points
    2023-01-31T11:32:22.3933333+00:00

    Does anyone have an update on this.

    We are experiencing the same issue. App ran for a week the suddenly this issue.

    1 person found this answer helpful.
  2. Rahul Metangale 106 Reputation points
    2021-03-16T11:45:04.237+00:00

    Hi @Huang Chao

    Since you mentioned that app has been working since last two years, one possible issue could be secret has expired. Please note down the client id, now navigate to Azure AD - App registration - search for the application (you can enter the copied client id). Once you find the application select the application - select certificate & Secret - under client secret see if the secret has expired. If yes then create a new secret and update your configuration.

    I hope this helps.

    Thanks,
    Rahul

  3. Nancy Admin 26 Reputation points
    2021-08-06T23:51:13.767+00:00

    Running into the same error - we are not reusing the code, but have started seeing this error today. This worked fine previously. Have also confirmed that our secret has not expired.

    0 comments
  4. Foxit 1 Reputation point
    2021-08-13T08:10:04.947+00:00

    The same error in production, but localhost is ok, why, how to fix?