OAuth2 Authorization code was already redeemed

Huang Chao 26

AADSTS54005: OAuth2 Authorization code was already redeemed, please retry with a new valid code or use an existing refresh token. Trace ID: 46d60227-a196-4a10-96b1-dff84a843400 Correlation ID: 8d6ce73f-e8b1-4630-a75f-61d8f30eeb93 Timestamp: 2021-03-12 08:28:33Z my web app has been working fine for 2 years. It's not working now. this is my code

url = "https://login.microsoftonline.com/{TID}/oauth2/token".format( TID=MYTID, )
data = requests.post(url, data={ 'client_id': CLIENT_ID, 'client_secret': my_secrete, 'code': token, 'grant_type': 'authorization_code', "redirect_uri": REDIRECT_URI, 'resource': APPID_URI, })
return data.json()

does any one have any idea about this?

Accepted answer

Siva-kumar-selvaraj 15,561 Reputation points

2021-03-16T14:08:33.047+00:00

Hello @Huang Chao ,

This behavior is to be expected when your application reuses authorization codes to get tokens. I would recommend you to revisit your code and see if your application reuses code.

If your app reuses authorization codes to get tokens for multiple resources, we recommend that you use the code to get a refresh token, and then use that refresh token to acquire additional tokens for other resources. Authorization codes can only be used once, but refresh tokens can be used multiple times across multiple resources. Any new app that attempts to reuse an authentication code during the OAuth code flow will get an invalid_grant error AADSTS54005: OAuth2 Authorization code was already redeemed.

For more information, read this (article](https://learn.microsoft.com/en-us/azure/active-directory/develop/reference-breaking-changes#authorization-codes-can-no-longer-be-reused)

Regards,
Siva Kumar Selvaraj
Please sign in to rate this answer.

1 person found this answer helpful.
Huang Chao 26 Reputation points

2021-03-17T01:21:20.03+00:00

Thank you for answering. the root cause of my problem is we're having problem accessing 'graph.microsoft.com' from aws china, which causes reuse of Authorization code
Sign in to comment

6 additional answers

Felix Iturbe 0 Reputation points

2023-03-23T17:27:43.9833333+00:00

Hi, same problem here. Same ASP NET 6.0 web app running for months without any login problem, and for the last couple of months everytime I update the app from VisualStudio, some users (not all, and not always) get this error. I can't find a solution to it, and normally if goes away after recycling the Wep app in Azure.

Any clues?
Please sign in to rate this answer.
AndY 0 Reputation points

2023-07-21T09:50:44.8933333+00:00

On-premise app based on ASP NET 6.0, the same issue, any ideas how to trouble shoot it ?
Sign in to comment
Johannes Kingma 1 Reputation point

2023-08-29T07:06:00.9+00:00

So what we do we "refresh" accesstokens?
Please sign in to rate this answer.
Duane Pfeiffer 0 Reputation points

2023-08-29T22:10:43.89+00:00

Seems like one of Microsoft's 'Microsoft.Identity.Web' packages has a bug. I'm seeing this in my Blazor server application.
Sign in to comment

Share via

OAuth2 Authorization code was already redeemed

6 additional answers