Microsoft Security | Microsoft Entra | Microsoft Entra ID
A cloud-based identity and access management service for securing user authentication and resource access
"AADSTS54005: OAuth2 Authorization code was already redeemed, please retry with a new valid code or use an existing refresh token
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(38.4, 71%, 13%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ENN%3C/text%3E%3C/svg%3E)
Nelson Nwajie
5
Reputation points
i get the error "AADSTS54005: OAuth2 Authorization code was already redeemed, please retry with a new valid code or use an existing refresh token when i try to retreive my token.
I run an opensearch instance on an onprem server and i use entra id as my IDP, everything was working fine until yesterday when i couldnt authenticate with openid anymore, i get not authorized error on the opensearch side after authentication. seems like an empty token is returned. My attempt to get the token has proved abortive, this is the error i get all the time. it seems to me that is what been returned from entraid to opensearch
{"error":"invalid_grant","error_description":"AADSTS54005: OAuth2 Authorization code was already redeemed, please retry with a new valid code or use an existing refresh token. Trace ID: xxxxxxxxxxxx Correlation ID: xxxxxxxxxxxxxxxxxxxxx Timestamp: 2025-10-09 10:34:01Z","error_codes":[54005],"timestamp":"2025-10-09 10:34:01Z","trace_id":"d1e7f3e3-981c-4600-8d74-004c213a3d00","correlation_id":"xxxxxxxxxxxxxxxxxxxxxxxx"}
i need help, as my team is totally blocked!
Microsoft Security | Microsoft Entra | Microsoft Entra ID
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(41.6, 51%, 14%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EZK%3C/text%3E%3C/svg%3E)
Zafer KAYA 335 Reputation points MVP2025-10-09T11:02:40.7566667+00:00 This happens when:
The app (OpenSearch in this case) replays the same
authorization_codeto the/tokenendpoint multiple times, orThe redirect URI / callback URL mismatches the one registered in Entra ID, invalidating the redemption, or
A network proxy, caching layer, or plugin bug causes the same code to be “retried.”
Since you said it used to work fine, and broke suddenly, this strongly points to session or configuration desync between OpenSearch and Entra ID.
Step 1: Clear OpenSearch SSO session cache
Stop OpenSearch.
Delete the SSO session cache or temporary tokens from your OpenSearch data directory.
If you’re using the OpenSearch Security Plugin, remove any cached
configorauth_tokenstate (usually in/usr/share/opensearch/plugins/opensearch-security/).Then restart:
sudo systemctl restart opensearchThis ensures it requests a new authorization code.
Step 2: Verify redirect URI in Entra ID
In Azure Portal → Entra ID → App registrations → [Your OpenSearch App] → Authentication
✅ Make sure the redirect URI matches exactly what OpenSearch is using, e.g.:
https://opensearch.yourdomain.com/_opendistro/_security/sso/auth/openidCommon mistakes:
Missing
/openidUsing
httpinstead ofhttpsTrailing
/Wrong hostname (proxy vs internal FQDN)
If you changed OpenSearch URLs recently, update it here and save.
Step 3: Check time synchronization
Run:
timedatectl statusEnsure:
System clock synchronized: yes NTP service: activeIf time drift > 5 min, fix it immediately:
sudo timedatectl set-ntp true
Step 4: Validate OpenSearch OIDC config
Check your OpenSearch configuration file (often
config/opensearch.yml):opendistro_security.openid.connect_url: "https://login.microsoftonline.com/<tenant_id>/v2.0/.well-known/openid-configuration" opendistro_security.openid.client_id: "<client_id>" opendistro_security.openid.client_secret: "<client_secret>" opendistro_security.openid.redirect_uri: "https://opensearch.yourdomain.com/_opendistro/_security/sso/auth/openid" opendistro_security.openid.scope: "openid profile email"Re-check the tenant ID, client ID, and secret. If you regenerated the secret recently, restart OpenSearch after updating it.
Step 5: Test manually with curl
To isolate the issue:
Use browser → authenticate → capture
codeparameter in redirect URL.Run manually:
curl -X POST https://login.microsoftonline.com/<tenant_id>/oauth2/v2.0/token \ -d "client_id=<client_id>" \ -d "scope=openid profile email" \ -d "grant_type=authorization_code" \ -d "code=<auth_code_here>" \ -d "redirect_uri=https://opensearch.yourdomain.com/_opendistro/_security/sso/auth/openid" \ -d "client_secret=<client_secret>"You should get an access token. If you get the same error immediately → Entra is rejecting the code (already used or expired). If it works → OpenSearch is reusing the code somewhere internally.
Step 1: Clear OpenSearch SSO session cache
Stop OpenSearch.
Delete the SSO session cache or temporary tokens from your OpenSearch data directory.
If you’re using the OpenSearch Security Plugin, remove any cached
configorauth_tokenstate (usually in/usr/share/opensearch/plugins/opensearch-security/).Then restart:
sudo systemctl restart opensearchThis ensures it requests a new authorization code.
Step 2: Verify redirect URI in Entra ID
In Azure Portal → Entra ID → App registrations → [Your OpenSearch App] → Authentication
✅ Make sure the redirect URI matches exactly what OpenSearch is using, e.g.:
https:Common mistakes:
Missing
/openidUsing
httpinstead ofhttpsTrailing
/Wrong hostname (proxy vs internal FQDN)
If you changed OpenSearch URLs recently, update it here and save.
Step 3: Check time synchronization
Run:
timedatectl statusEnsure:
System clock synchronized:If time drift > 5 min, fix it immediately:
sudo timedatectl set-ntp
Step 4: Validate OpenSearch OIDC config
Check your OpenSearch configuration file (often
config/opensearch.yml):opendistro_security.openid.connect_url:Re-check the tenant ID, client ID, and secret.
If you regenerated the secret recently, restart OpenSearch after updating it.
Step 5: Test manually with curl
To isolate the issue:
Use browser → authenticate → capture
codeparameter in redirect URL.Run manually:
curl -X POST https://login.microsoftonline.com/<tenant_id>/oauth2/v2.0/token \ -dYou should get an access token.
If you get the same error immediately → Entra is rejecting the code (already used or expired).
If it works → OpenSearch is reusing the code somewhere internally. -
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(233.6, 85%, 32%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EVS%3C/text%3E%3C/svg%3E)
VEMULA SRISAI 13,220 Reputation points Microsoft External Staff Moderator2025-10-25T13:42:59.68+00:00 Nelson Nwajie Thank you for your feedback. I understand that answer provided by the MVP is did not resolve your issue. To assist you further, I have initiated a private message and requested a few additional details.
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(128, 8%, 22%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EA%3C/text%3E%3C/svg%3E)
Anonymous2025-11-07T10:12:52.12+00:00 Hello Nelson Nwajie,
Welcome to Microsoft Q&A Platform. Thank you for reaching out & hope you are doing well.
I will try to clarify your doubts and provide you some workarounds.
So, the error "AADSTS54005: OAuth2 Authorization code was already redeemed" occurs when the authorization code issued by Microsoft Entra ID is used more than once or is expired. This is by design because:
- Authorization codes are single-use and short-lived (typically valid for ~10 minutes).
- If OpenSearch retries the same code or caches it incorrectly, Entra ID rejects it.
- A mismatch in redirect URI or session state can also invalidate the code.
Will recommend some workarounds as:
- Ensure Correct OAuth Flow
- Authorization code must be exchanged only once for tokens.
- After redemption, use the refresh token for subsequent requests.
- Do refer: https://learn.microsoft.com/en-us/entra/identity-platform/v2-oauth2-auth-code-flow
- Validate Redirect URI
- Must match exactly what’s registered in Entra ID: No trailing slashes mismatch and HTTPS only
- Reference: https://learn.microsoft.com/en-us/entra/identity-platform/reply-url
- Check Token Request Logic
- Confirm OpenSearch is not retrying the same
codeparameter. - If using OpenSearch Security Plugin, verify
openidsettings inopensearch.yml:opendistro_security.openid.connect_url: "https://login.microsoftonline.com/<tenant_id>/v2.0/.well-known/openid-configuration"opendistro_security.openid.client_id: "<client_id>"opendistro_security.openid.client_secret: "<client_secret>"opendistro_security.openid.redirect_uri: "https://opensearch.yourdomain.com/_opendistro/_security/sso/auth/openid"opendistro_security.openid.scope: "openid profile email" - Do refer: https://learn.microsoft.com/en-us/entra/identity-platform/howto-add-app-roles-in-apps
- Time Synchronization
- Ensure server clock is accurate; OAuth codes expire quickly.
- Reference: https://learn.microsoft.com/en-us/entra/identity-platform/access-tokens
- Use Refresh Tokens
- After first successful redemption, use refresh tokens for subsequent calls.
- Refer: https://learn.microsoft.com/en-us/entra/identity-platform/refresh-tokens
If Still Failing:
- Capture the full token request and response using
curlor Fiddler. - Compare with Microsoft’s example:
POST https://login.microsoftonline.com/{tenant}/oauth2/v2.0/tokenContent-Type: application/x-www-form-urlencodedclient_id=<client_id>scope=openid profile emailcode=<authorization_code>redirect_uri=<redirect_uri>grant_type=authorization_codeclient_secret=<client_secret> - Do refer: https://learn.microsoft.com/en-us/entra/identity-platform/v2-oauth2-auth-code-flow#request-an-access-token
Hope this helps!
Regards,
Monalisha
-
Anonymous
2025-11-18T12:01:19.34+00:00 Hello Nelson Nwajie,
Could you please provide an update on this post?
Kindly let us know if the below helps or you need further assistance on this issue.
Sign in to comment
Sign in to answer