question

JeffreyHaskovec-7123 avatar image
0 Votes"
JeffreyHaskovec-7123 asked ·

Problem getting access token in AD: AADSTS70000: The provided value for the 'redirect_uri' is not valid. The value must exactly match the redirect URI used to obtain the authorization code

I am attempting to do the OAuth flow to get an access token and refresh token for my webapp. This app will read from all the users in an organization's calendars and do some syncing with our app.

I have configured on the Azure AD side a redirect URI for example (details obscured):

https://dev.myapp.com/user/hub/finish

Then in the Azure AD I set all required permission scopes:

  • Calendars.Read

  • Organization.Read.All

  • User.Read.All

I have also created a client secret. To get the initial code I send a request to the following url:

 https://login.microsoftonline.com/common/oauth2/v2.0/authorize?response_type=code&redirect_url=https%3A%2F%2Fdev.myapp.com%2Fuser%2Fhub%2Ffinish&response_mode=query&scope=offline_access%20https%3A%2F%2Fgraph.microsoft.com%2Fcalendars.read%20https%3A%2F%2Fgraph.microsoft.com%2Fuser.read.all%20https%3A%2F%2Fgraph.microsoft.com%2Forganization.read.all&client_id=my-client-id


This redirects to my site with a code in the url (after the auth). Then I attempt to exchange that code for an access token with a url-encoded form post to the endpoint below:

 POST https://login.microsoftonline.com/common/oauth2/v2.0/token
    
 client_id=my-client-id&client_secret=my-client-secret&code=Mca534c99-fe82-1693-93f9-28b942e79e8b&grant_type=authorization_code&redirect_uri=https%3A%2F%2Fdev.myapp.com%2Fuser%2Fhub%2Ffinish&scope=offline_access+https%3A%2F%2Fgraph.microsoft.com%2Fcalendars.read+https%3A%2F%2Fgraph.microsoft.com%2Fuser.read.all+https%3A%2F%2Fgraph.microsoft.com%2Forganization.read.all

As a response I get the following back:

 Error:"invalid_grant", ErrorDescription:"AADSTS70000: The provided value for the 'redirect_uri' is not valid. The value must exactly match the redirect URI used to obtain the authorization code.\r\nTrace ID: 81a3cbc6-f642-4b17-bc42-1a5b558c0b01\r\nCorrelation ID: 7eabdc07-e23b-4fe7-840d-26f9a0d4e9f8\r\nTimestamp: 2020-01-28 17:32:30Z", ErrorCodes:[]int{70000}, Timestamp:model.Date{Time:time.Time{wall:0x0, ext:63715829550, loc:(*time.Location)(nil)}}, TraceId:"81a3cbc6-f642-4b17-bc42-1a5b558c0b01", CorrelationId:"7eabdc07-e23b-4fe7-840d-26f9a0d4e9f8


It isn't quite making sense to me why it is telling me the redirect_uri doesn't match when it is the same in both flows.


azure-ad-authenticationazure-ad-tenant
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

1 Answer

MarileeTurscak avatar image
0 Votes"
MarileeTurscak answered ·

The redirect_uri in your code and in your app registration need to match. Have you checked that the registration for the app has the correct redirect URI and that it's aligned with the right Client ID/App ID and tenant?

https://docs.microsoft.com/en-us/azure/active-directory/develop/quickstart-register-app

· 3 · Share
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Yes I have checked and they do match which is why this error doesn't make sense to me. I was able to make the flow work when I used localhost, but when I actually try to use the real https url in both places it always gives that error.

0 Votes 0 · ·

2591-img-20171023-072328.jpg


0 Votes 0 · ·

I can't see what you shared here Hoop

0 Votes 0 · ·