"AADSTS54005: OAuth2 Authorization code was already redeemed, please retry with a new valid code or use an existing refresh token" Azure API Management

Hernán Castellani 46 Reputation points
2022-01-19T15:24:10.443+00:00

I am trying to obtain an authorization token to consume a published API in Azure API Management, for which I am performing the following steps:

Call the authorization URL as follows:
https://login.microsoftonline.com/common/oauth2/authorize?
client_id=<CLIENT_ID>
&response_type=code
&response_mode=query
&redirect_uri=<REDIRECT_URI>
&scope=SCOPE

Immediately after, I call the following URL with the obtained authorization code and other parameters in the body and to send them as form-data:
POST https://login.microsoftonline.com/common/oauth2/token

client_id=<CLIENT_ID>
scope=SCOPE
grant_type=authorization_code
client_secret=<CLIENT_SECRET>
code=<AUTHORIZATION_CODE_PREVIOUS_STEP>

As a result, I get the following error and cannot continue:

{ "error": "invalid_grant",
"error_description": "AADSTS54005: OAuth2 Authorization code was already redeemed, please retry with a new valid code or use an existing refresh token.\r\nTrace ID: f0264d85-2f41-4009-9e8e-1a211209e100\r\nCorrelation ID: c6b15ffb-82e8-49aa-941f-6c85be4d9601\r\nTimestamp: 2022-01-18 15:06:55Z",
"error_codes": [
54005
],
"timestamp": "2022-01-18 15:06:55Z",
"trace_id": "f0264d85-2f41-4009-9e8e-1a211209e100",
"correlation_id": "c6b15ffb-82e8-49aa-941f-6c85be4d9601"
}

I understand that the authorization code is for one use only but, in my case, on the first attempt I get this error.

Any help is appreciated

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
22,151 questions
0 comments No comments
{count} votes

Accepted answer
  1. Siva-kumar-selvaraj 15,651 Reputation points
    2022-01-24T15:04:05.397+00:00

    @Hernán Castellani , Thanks for providing further details.

    I had configured "API Management service" in my subscription and enabled OAuth2 service support as detailed here so I was able to reproduce the same behavior when I tried to request "authorization_code" with my "API Management service Redirect URI" like: https://testsiv****.developer.azure-api.net/signin-oauth/code/callback/oauthserver as shown below:

    167925-azureapi.png

    Further investigation found that when we sent authorization_code to API Management service endpoint like /signin-oauth/code/callback/ , which basically uses that code to get accessToken by default using javascript, you could verify this by going to "View page source" on browser as shown below, this would make sense why we get error: invalid_grant AADSTS54005 OAuth2 Authorization code was already redeemed .

    167830-azureapi2.png

    So, if you want to obtain an authorization token to consume a published API in Azure API Management, try using different Redirect URI where your app would consume code (for an example http://localhost for testing purpose) while requesting code and same url need to be added in Azure AD app registration as well. To learn more about Redirect URI (reply URL) restrictions and limitations.

    Example:
    https://login.microsoftonline.com/common/oauth2/v2.0/authorize?client_id={replace-with-client-id}&response_type=code&redirect_uri=http://localhost&response_mode=query&scope=openid{replace-with-backend-API-scope}&state=12345

    167870-image.png

    167937-image.png

    Hope this helps.

    -----
    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.


2 additional answers

Sort by: Most helpful
  1. Siva-kumar-selvaraj 15,651 Reputation points
    2022-01-21T19:40:45.633+00:00

    Hello @Hernán Castellani ,

    Thanks for reaching out.

    Could you please confirm if you are using any script or your own app to retrieve authorization_code and access_token? or attempting it manually ? Can you capture HTTP traces by using tool like fiddler as mentioned below , if you're running a script/app locally which would help you to determine if your application reuses authorization_code by any chance.

    Steps to install fiddler:

    1. Download and install the latest version of Fiddler if you haven't already
    2. Start Fiddler and make the following setting updates under Tools -> Telerik Fiddler Options -> HTTPS tab
      * Check Capture HTTPS CONNECTs
      * Check Decrypt HTTPS Traffic -> from all processes
      * Click on the 'Certificates generated by' link and select MakeCert engine
      (Recommendation: Restart Fiddler for this change to take effect)
      * Next, export the FiddlerRoot.cer file via Actions -> Export Root Certificate To Desktop
    3. Make the following setting updates under Tools -> Telerik Fiddler Options -> Connections tab:
      * Setup Fiddler to act as a system proxy by checking Allow Remote Computers to Connect
      * Fiddler listens on port should be set to 8888

    Note: You should restart Fiddler after this and accept any UAC prompt.

    If possible, could you try using the Postman tool as detailed below? since I'm interested if the problem persists across different approaches.

    Obtain access_token by using Postman tool

    • Access below URL from browser, once authenticated then you would see "authorization_code"
      https://login.microsoftonline.com/common/oauth2/v2.0/authorize?client_id={replace-with-client-id}&response_type=code&redirect_uri={replace-with-redirec-url}&response_mode=query&scope=openid%20offline_access%20https%3A%2F%2Fgraph.microsoft.com%2Fmail.read&state=12345
    • Replace with code and other key values in Postman tool and try requesting access_toke.
      167218-image.png

    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

    0 comments No comments

  2. Hernán Castellani 46 Reputation points
    2022-01-21T20:42:46.357+00:00

    Hi @sikumars-msft

    First of all thank you very much for the answer. I confirm you that the test I am doing is manual, from the browser to obtain the code to redeem, and from Postman to obtain the token.

    • Authorization code
      167319-authorization.png
    • Get token
      167309-token.png

    I add to my original question that getting the authorization code from the APIM Developer Portal works fine. The test that I am trying to do is to confirm that from my own application I can obtain the OAuth2 token without problems.

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.