Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,664 questions
unable to finish code exchange flow from native app
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(0, 35%, 10%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ELN%3C/text%3E%3C/svg%3E)
Liat Netach
1
Reputation point
Hi,
We're trying to use Azure AD as SSO / OIDC provider for both our web and native application.
The web flow works as should (they use HTTPS redirect URL)
We have an issue finishing the code exchange flow on the mobile side (costume scheme for the redirect URL f.e- myapp://oauth/...)
we registered the mobile redirect URL under Mobile and desktop applications (we are using react-native)
first I will say that both the website and the native apps use the same server-side.
(In mobile we are using the react-native-app-auth library for return to the app and getting the Code after the user authenticate)
We're getting an authorization code also in the mobile via the /authorize endpoint but then when we send the code to our server in order for him to call to the token endpoint and to do code exchange- an error occurs invalid_client.
There should be any differences between the POST to the token endpoint when we started the flow from the website to when we started the flow from mobile (with redirect URL that is in the mobile platform in the portal)? of course, the configuration remains the same except for the redirect URL.
BTW with another OpenID provider, we manage to authenticate so I really can't understand the difference :/
I will appreciate any comment!
{count} votes
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(195.2, 0%, 28%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EVM%3C/text%3E%3C/svg%3E)
VipulSparsh-MSFT 16,236 Reputation points Microsoft Employee2022-01-20T12:59:51.04+00:00 @Liat Netach Invalid client mostly signifies that the app is not aware to Azure AD. Can you send the request which is being sent to Token endpoint and also the error message screenshot.
-
Liat Netach 1 Reputation point
2022-01-23T08:23:34.787+00:00 @VipulSparsh-MSFT Thanks for your comment,
The request made through the server so I can't reach out for the Code- I know they use , it is the same request that successfully made for the web client.
both the web and the mobile registered in the portal (with different redirectUrls)
Do you have a way to differ the mobile request from the web?
do we need to change the token request that is made from the server?
this is our portal structure-
-
Liat Netach 1 Reputation point
2022-01-23T10:22:12.98+00:00 The server compose the HTTP Request from this data:
tokenReq = new TokenRequest(
new URI(tokenUrl),
new ClientSecretBasic(new ClientID(clientId), new Secret(secret)),
new AuthorizationCodeGrant(authorizationCode, new URI(redirectUrl)),
new Scope(OPENID_SCOPE, EMAIL_SCOPE, PROFILE_SCOPE))And then use OIDCTokenResponseParser to send the request to the token endpoint.
-
VipulSparsh-MSFT 16,236 Reputation points Microsoft Employee
2022-01-24T05:43:19.663+00:00 @Liat Netach Thanks for sharing those details. The last Reply URL seems to be for the mobile apps. Make sure that your application has exactly same replyURl configured, any typo or URL encoding while copying the text from portal to code might also cause this issue.
Double check where you application code talks about this mobile URL and verify if they matches exactly.
if that is correct, we would mostly take this discussion offline as we need to check few other things which might need you to share certain more screenshots. For that please drop me an email at azcommunity@microsoft.com with subject "Atten - Vipul"
Sign in to comment