question

HernanCastellani avatar image
0 Votes"
HernanCastellani asked HEDHYCEO-3846 commented

"AADSTS54005: OAuth2 Authorization code was already redeemed, please retry with a new valid code or use an existing refresh token" Azure API Management

I am trying to obtain an authorization token to consume a published API in Azure API Management, for which I am performing the following steps:

Call the authorization URL as follows:
https://login.microsoftonline.com/common/oauth2/authorize?
client_id=<CLIENT_ID>
&response_type=code
&response_mode=query
&redirect_uri=<REDIRECT_URI>
&scope=SCOPE

Immediately after, I call the following URL with the obtained authorization code and other parameters in the body and to send them as form-data:
POST https://login.microsoftonline.com/common/oauth2/token

client_id=<CLIENT_ID>
scope=SCOPE
grant_type=authorization_code
client_secret=<CLIENT_SECRET>
code=<AUTHORIZATION_CODE_PREVIOUS_STEP>

As a result, I get the following error and cannot continue:

{ "error": "invalid_grant",
"error_description": "AADSTS54005: OAuth2 Authorization code was already redeemed, please retry with a new valid code or use an existing refresh token.\r\nTrace ID: f0264d85-2f41-4009-9e8e-1a211209e100\r\nCorrelation ID: c6b15ffb-82e8-49aa-941f-6c85be4d9601\r\nTimestamp: 2022-01-18 15:06:55Z",
"error_codes": [
54005
],
"timestamp": "2022-01-18 15:06:55Z",
"trace_id": "f0264d85-2f41-4009-9e8e-1a211209e100",
"correlation_id": "c6b15ffb-82e8-49aa-941f-6c85be4d9601"
}

I understand that the authorization code is for one use only but, in my case, on the first attempt I get this error.

Any help is appreciated

azure-ad-authenticationazure-ad-openid-connect
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

sikumars avatar image
0 Votes"
sikumars answered HEDHYCEO-3846 commented

@HernanCastellani , Thanks for providing further details.

I had configured "API Management service" in my subscription and enabled OAuth2 service support as detailed here so I was able to reproduce the same behavior when I tried to request "authorization_code" with my "API Management service Redirect URI" like: https://testsiv****.developer.azure-api.net/signin-oauth/code/callback/oauthserver as shown below:

167925-azureapi.png

Further investigation found that when we sent authorization_code to API Management service endpoint like /signin-oauth/code/callback/ , which basically uses that code to get accessToken by default using javascript, you could verify this by going to "View page source" on browser as shown below, this would make sense why we get error: invalid_grant AADSTS54005 OAuth2 Authorization code was already redeemed .

167830-azureapi2.png

So, if you want to obtain an authorization token to consume a published API in Azure API Management, try using different Redirect URI where your app would consume code (for an example http://localhost for testing purpose) while requesting code and same url need to be added in Azure AD app registration as well. To learn more about Redirect URI (reply URL) restrictions and limitations.

Example:
https://login.microsoftonline.com/common/oauth2/v2.0/authorize?client_id={replace-with-client-id}&response_type=code&redirect_uri=http://localhost&response_mode=query&scope=openid{replace-with-backend-API-scope}&state=12345

167870-image.png

167937-image.png

Hope this helps.


Please "Accept the answer" if the information helped you. This will help us and others in the community as well.


azureapi.png (190.9 KiB)
azureapi2.png (83.7 KiB)
image.png (12.6 KiB)
image.png (85.5 KiB)
· 3
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Yes, @sikumars-msft! That is the solution to the problem. Thank you very much for your help and support.
Regards and have a great day!
Hernán

1 Vote 1 ·
sikumars avatar image sikumars HernanCastellani ·

Glad that answer was helpful :)

0 Votes 0 ·

Dude, thank you so muth !

0 Votes 0 ·
sikumars avatar image
0 Votes"
sikumars answered

Hello @HernanCastellani ,

Thanks for reaching out.

Could you please confirm if you are using any script or your own app to retrieve authorization_code and access_token? or attempting it manually ? Can you capture HTTP traces by using tool like fiddler as mentioned below , if you're running a script/app locally which would help you to determine if your application reuses authorization_code by any chance.

Steps to install fiddler:
1. Download and install the latest version of Fiddler if you haven't already
2. Start Fiddler and make the following setting updates under Tools -> Telerik Fiddler Options -> HTTPS tab
Check Capture HTTPS CONNECTs
Check Decrypt HTTPS Traffic -> from all processes
Click on the 'Certificates generated by' link and select MakeCert engine
(Recommendation: Restart Fiddler for this change to take effect)
Next, export the FiddlerRoot.cer file via Actions -> Export Root Certificate To Desktop
3. Make the following setting updates under Tools -> Telerik Fiddler Options -> Connections tab:
Setup Fiddler to act as a system proxy by checking Allow Remote Computers to Connect
Fiddler listens on port should be set to 8888

Note: You should restart Fiddler after this and accept any UAC prompt.


If possible, could you try using the Postman tool as detailed below? since I'm interested if the problem persists across different approaches.

Obtain access_token by using Postman tool

  • Access below URL from browser, once authenticated then you would see "authorization_code"
    https://login.microsoftonline.com/common/oauth2/v2.0/authorize?client_id={replace-with-client-id}&response_type=code&redirect_uri={replace-with-redirec-url}&response_mode=query&scope=openid%20offline_access%20https%3A%2F%2Fgraph.microsoft.com%2Fmail.read&state=12345

  • Replace with code and other key values in Postman tool and try requesting access_toke.
    167218-image.png





Please "Accept the answer" if the information helped you. This will help us and others in the community as well.



image.png (44.4 KiB)
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

HernanCastellani avatar image
0 Votes"
HernanCastellani answered

Hi @sikumars-msft

First of all thank you very much for the answer. I confirm you that the test I am doing is manual, from the browser to obtain the code to redeem, and from Postman to obtain the token.

  • Authorization code
    167319-authorization.png


  • Get token
    167309-token.png



I add to my original question that getting the authorization code from the APIM Developer Portal works fine. The test that I am trying to do is to confirm that from my own application I can obtain the OAuth2 token without problems.


authorization.png (15.5 KiB)
token.png (64.1 KiB)
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.