1

I have been testing Microsoft Graph api user access token by following Java example URL . Yesterday it worked fine but today it always give me com.microsoft.aad.msal4j.MsalClientException: Expired Device code . I dont' give any device code and tried it with created new registered app on Azure Active Directory admin center

    Consumer<DeviceCode> deviceCodeConsumer = (DeviceCode deviceCode) -> {
        System.out.println(deviceCode.message());
    };

    // Request a token, passing the requested permission scopes
    IAuthenticationResult result = app.acquireToken(
            DeviceCodeFlowParameters
                    .builder(scopeSet, deviceCodeConsumer)
                    .build()
    ).exceptionally(ex -> {
        System.out.println("Unable to authenticate - " + ex.getMessage());
        return null;
    }).join();
Yusufu
  • 105
  • 1
  • 12
  • Why do you say "I don't give any device code"? When you run this sample code project, the application displays a URL and device code like this "To sign in, use a web browser to open the page https://microsoft.com/devicelogin and enter the code F7CG945YZ to authenticate." Looks like the code you provided is expired. – Allen Wu Oct 15 '20 at 02:42
  • Try to use an inprivate window to open the page. – Allen Wu Oct 15 '20 at 05:57
  • That command line sentence used to come before this error. I dont see that hereafter. – Yusufu Oct 15 '20 at 07:41
  • By the way I was not giving device code but it was giving me device code right ? – Yusufu Oct 15 '20 at 07:45
  • Here is my code : https://github.com/yusufunlu/MicrosoftApiTrying – Yusufu Oct 15 '20 at 07:45
  • 1
    Yes. The device code is generated by the project and provided to you. Then you use it to authenticate. I can hardly tell what is wrong with your code. But you could download the completed project [here](https://github.com/microsoftgraph/msgraph-training-java) and follow the [README](https://github.com/microsoftgraph/msgraph-training-java/tree/master/demo) to run it. – Allen Wu Oct 15 '20 at 08:02
  • I have tried what you gave github url and it gave me the below error. "GET https://graph.microsoft.com/v1.0/me SdkVersion : graph-java/v1.6.0 Authorization : Bearer null" I have tried different apps and new account with different azure account too – Yusufu Oct 15 '20 at 12:42
  • 1
    The access token is null. Please debug it to see what happened in "./graphtutorial/src/main/java/graphtutorial/Authentication.java" file: `Authentication.initialize(appId); final String accessToken = Authentication.getUserAccessToken(appScopes);` – Allen Wu Oct 16 '20 at 07:10
  • Thank you found the problem I access token problem was because of using object id instead of app.id . For some reasons I have created created new app and forgot to enable "Default client type" in Azure Active Directory – Yusufu Oct 16 '20 at 16:23
  • Glad to know this issue is resolved. To make this post treated as answered, I have moved the comment to the answer. You can mark it as accepted. Thank you. – Allen Wu Oct 19 '20 at 02:08

3 Answers3

2

This was caused by an invalid device code request...which had expiresIn=0.

I found my error by debugging into DeviceFlowRequest::acquireDeviceCode. The response stated that "The provided client is not supported for this feature. The client application must be marked as 'mobile.'". (But this was masked by the try/catch which returned "Expired Device" error.)

This gave me the hint I needed on to update the application on https://aad.portal.azure.com/ - In Authentication, at the bottom (under advanced settings), I had neglected to check "Allow public client flows" - "Enable the following mobile and desktop flows", and click the save button (at the top).

twak
  • 86
  • 5
1

Looks like the browser uses a Expired Device code in cookie.

The device code is generated by the project and provided to you. Then you use it to authenticate.

I didn't find if there is something wrong with your code.

A workaround is to download the completed project here and follow the README to run it.

Allen Wu
  • 15,529
  • 1
  • 9
  • 20
0

I had the same problem. The only thing I changed from the tutorial steps is selecting the 1st option in support account types. I was bale to solve this problem by selecting 2nd option (3rd option also will work I guess). But it is not currently supported by Microsoft identity platforms.Refer here for more details

Therefore I had only 2 options (1st and 2nd in below picture).

enter image description here

Nilucshan Siva
  • 433
  • 7
  • 16