1

From last couple of weeks we have few clients complaining that our app is auto revoking Office365 oauth every 1 hour. This is the typical behiviour as access token have validity of 1 hour, so our app is designed to auto refresh the access token using refresh token captured during oauth.

This seems to be not working for atleast few customers from last few weeks. Below exception is thrown back by Office365 token api - https://login.windows.net/common/oauth2/token

{"error":"invalid_grant","error_description":"AADSTS9002313: Invalid request. Request is malformed or invalid.\r\nTrace ID: 7f80c2c3-41bc-41bd-8304-b56969c83a00\r\nCorrelation ID: 5a08714a-1e7d-4f32-814d-146bc721e8ab\r\nTimestamp: 2020-10-12 05:42:11Z","error_codes":[9002313],"timestamp":"2020-10-12 05:42:11Z","trace_id":"7f80c2c3-41bc-41bd-8304-b56969c83a00","correlation_id":"5a08714a-1e7d-4f32-814d-146bc721e8ab","error_uri":"https://login.windows.net/error?code=9002313"}

Here, the error code '9002313' states there is some issue related to auth parameters especially 'client_id' of our azure app. (reference)

Below data is sent to fetch new access token

  1. client_id (related to azure app)
  2. client_secret (related to azure app)
  3. grant_type = 'refresh_token'
  4. refresh_token

Edit 1: Update token endpoint to v2.0

Request URI

POST https://login.microsoftonline.com/common/oauth2/v2.0/token

Request Body

client_id=<client-id> &scope=https://outlook.office365.com/Calendars.ReadWrite https://outlook.office365.com/Contacts.ReadWrite https://outlook.office365.com/Mail.ReadWrite &refresh_token=OAAABAAAAiL9Kn2Z27UubvWFPbm0gLWQJVzCTE9UkP3pSx1aXxUjq... &grant_type=refresh_token &client_secret=<client-secret>

Reponse Body

{"error":"invalid_grant","error_description":"AADSTS9002313: Invalid request. Request is malformed or invalid.\r\nTrace ID: 4447c69e-09d6-4a00-8dfe-735106d71200\r\nCorrelation ID: 1820e135-a511-4516-99d9-b6cebb342eb2\r\nTimestamp: 2020-10-13 03:39:37Z","error_codes":[9002313],"timestamp":"2020-10-13 03:39:37Z","trace_id":"4447c69e-09d6-4a00-8dfe-735106d71200","correlation_id":"1820e135-a511-4516-99d9-b6cebb342eb2","error_uri":"https://login.microsoftonline.com/error?code=9002313"}
akshath
  • 61
  • 2
  • 9

1 Answers1

1

Your authority is old and you missed the scope in the request body(if use the v2.0 endpoint), if you want to get a new access token for O365 with the refresh token, use the sample request below.

Request url:

POST https://login.microsoftonline.com/common/oauth2/v2.0/token

Request body:

client_id=<client-id>
&scope=https://outlook.office365.com/.default
&refresh_token=OAAABAAAAiL9Kn2Z27UubvWFPbm0gLWQJVzCTE9UkP3pSx1aXxUjq...
&grant_type=refresh_token
&client_secret=<client-secret>

For more details, refer to the doc - Refresh the access token.

Update:

I test it for you, it works on my side. Make sure you also get the refresh token with the v2.0 endpoint, see here.

The permissions for my app:

enter image description here

Test to get a new access token in the postman after getting the refresh token.

enter image description here

Joy Wang
  • 39,905
  • 3
  • 30
  • 54
  • Thanks @JoyWang for your suggestion. Yes we are using old endpoints. This isssue is happening only for few customers from last couple of weeks. We have majority of the customers using old endpoint without any problem (including our internal team). I did try using v2.0 endpoint, updated details in my question. Please review and suggest if I am missing anything. – akshath Oct 13 '20 at 03:43
  • here is the response from [postman](https://sc.vtiger.in/screenshots/aks-sc-at-13-10-2020-12-06-01.png) . I still see the same error. Only difference I see w.r.t your answer is in the [App permissions](https://sc.vtiger.in/screenshots/aks-sc-at-13-10-2020-12-09-54.png) . Does this have any impact? – akshath Oct 13 '20 at 06:41
  • @akshath When we need to get the refresh token, the `offline_access` is needed, you could try to add the `User.Read` and `offline_access` of `Microsoft Graph` like my screenshot, and in the postman, make sure you choose the `x-www-form-urlencoded` of the request body. – Joy Wang Oct 13 '20 at 06:48
  • Let me try, looks like 'offline_access' permission is mandatory for v2.0 oauth endpoints. Failing to request this permission would result in not returning refresh_token. But this permission is not mandatory for v1 oath endpoints. – akshath Oct 13 '20 at 07:59
  • @akshatha Also make sure you are using the v2.0 endpoint to get the access token and refresh token first https://learn.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-auth-code-flow#request-an-access-token – Joy Wang Oct 13 '20 at 08:02
  • still no luck, I am getting the same error. I did post same question in MS Q&A and they confirmed that this is not usual ([ref](https://learn.microsoft.com/en-us/answers/questions/125834/office365-refreshing-access-token-results-with-aad.html)) and request data looks good for v1 endpoint as well. Will keep this thread updated once I hear back from them. – akshath Oct 15 '20 at 05:10