question

Akshath-3348 avatar image
0 Votes"
Akshath-3348 asked PhilippeLeblanc-1607 commented

Office365: Refreshing access token results with “AADSTS9002313” invalid_grant execption

From last couple of weeks we have few clients complaining that our app is auto revoking Office365 oauth every 1 hour. This is the typical behiviour as access token have validity of 1 hour, so our app is designed to auto refresh the access token using refresh token captured during oauth.

This seems to be not working for atleast few customers from last few weeks. Below exception is thrown back by Office365 token api - https://login.windows.net/common/oauth2/token

 {"error":"invalid_grant","error_description":"AADSTS9002313: Invalid request. Request is malformed or invalid.\r\nTrace ID: 7f80c2c3-41bc-41bd-8304-b56969c83a00\r\nCorrelation ID: 5a08714a-1e7d-4f32-814d-146bc721e8ab\r\nTimestamp: 2020-10-12 05:42:11Z","error_codes":[9002313],"timestamp":"2020-10-12 05:42:11Z","trace_id":"7f80c2c3-41bc-41bd-8304-b56969c83a00","correlation_id":"5a08714a-1e7d-4f32-814d-146bc721e8ab","error_uri":"https://login.windows.net/error?code=9002313"}

Here, the error code '9002313' states there is some issue related to auth parameters especially 'client_id' of our azure app. (reference)

Below data is sent to fetch new access token

  1. client_id (related to azure app)

  2. client_secret (related to azure app)

  3. grant_type = 'refresh_token'

  4. refresh_token

Edit 1: Update token endpoint to v2.0

Request URI

POST https://login.microsoftonline.com/common/oauth2/v2.0/token

Request Body

client_id=<client-id>
&scope=https://outlook.office365.com/Calendars.ReadWrite https://outlook.office365.com/Contacts.ReadWrite https://outlook.office365.com/Mail.ReadWrite
&refresh_token=<refresh_token>
&grant_type=refresh_token
&client_secret=<client-secret>

Reponse Body

 {"error":"invalid_grant","error_description":"AADSTS9002313: Invalid request. Request is malformed or invalid.\r\nTrace ID: 4447c69e-09d6-4a00-8dfe-735106d71200\r\nCorrelation ID: 1820e135-a511-4516-99d9-b6cebb342eb2\r\nTimestamp: 2020-10-13 03:39:37Z","error_codes":[9002313],"timestamp":"2020-10-13 03:39:37Z","trace_id":"4447c69e-09d6-4a00-8dfe-735106d71200","correlation_id":"1820e135-a511-4516-99d9-b6cebb342eb2","error_uri":"https://login.microsoftonline.com/error?code=9002313"}
azure-api-managementazure-ad-microsoft-accountazure-ad-authentication-protocols
· 7
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hello @Akshath-3348, thank you for reaching out. I did check the request that hit the AAD from the backend logs for your request and I don't see a reason why AAD threw an invalid_grant error as the request looks good and I tested the same with Postman it worked for me.

I am trying to dig a little deeper into the logs and would get back to you soon with some more updates.

0 Votes 0 ·

Hello @soumi-MSFT , thank you for the response. I will wait for your reply. This is kind of happening once my clients account was migrated from Office 365 to Microsoft 365. I am not sure if there is any dependencies related to this.

I did give a try changing all references to v2.0 endpoint, but still no luck.

0 Votes 0 ·

@Hello @Akshath-3348, the easiest way to understand the point of failure would be to collect the Fiddler traces from a working and non-working client and then compare the traces to understand why in the non-working scenario that error is coming up.

I would request you to drop me an email on azcommunity[at]microsoft[dot]com with the following details:

  • Subject: ATTN-soumi | URL of this post

  • Azure AD Tenant ID:

  • Azure Subscription ID:



Do mention a good time to connect with you so that we can help you collect the fiddler traces.

0 Votes 0 ·
Show more comments

Hi there, I got the same problem using a professional account and office 365. Any news from this feed ?

I am following the documentation and the standard practice. Is there something specific using Microsoft.

https://www.oauth.com/oauth2-servers/access-tokens/refreshing-access-tokens/

0 Votes 0 ·

Can you manually obtain the refresh token and try one more time?

0 Votes 0 ·

@alfredo-revilla-msft I did try this using standalone scripts and as well as in Postman client. Still I am getting same error.

0 Votes 0 ·

0 Answers