Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

invalid_grant :: AADSTS54005: OAuth2 Authorization code was already redeemed, please retry with a new valid code or use an existing refresh token on authorize request #188

Open
ajmartinsanchez opened this issue Aug 29, 2024 · 5 comments
Open

invalid_grant :: AADSTS54005: OAuth2 Authorization code was already redeemed, please retry with a new valid code or use an existing refresh token on authorize request #188

ajmartinsanchez opened this issue Aug 29, 2024 · 5 comments

Comments

@ajmartinsanchez
Copy link

Hi Everybody,

I am experiencing the title issue. I configured everything correctly, and this error occurs just before executing authorization. In Microsoft documentation, I found a similar error. They recommend changing the redirect URI, but I can't apply this solution because the entire process is automated by the library.

Does anyone know how to fix this?
@bufferoverflow
Copy link
Member

the redirect_uri is a configuration parameter, see https://github.com/omniauth/omniauth_openid_connect?tab=readme-ov-file#usage , maybe share your config and some more details about the software you are using along with omniauth_openid_connect

@ajmartinsanchez
Copy link
Author

ajmartinsanchez commented Aug 30, 2024
edited
Loading

Hello @bufferoverflow thanks for you answer,

Here is my configuration:

issuer: 'https://login.microsoftonline.com/{tenant}/v2.0'
scope:
    - openid
    - email
response_type: code
discovery: true
required_state: false
client_options:
    scheme: https
    port: 443
    host: 'login.microsoftonline.com'
    identifier: {identifier}
    secret: {secret}
    redirect_uri: {uri_to_redirect}

When the process starts, our platform calls /authorize, and it seems to work fine. However, I believe the problem occurs during the second call when the library calls /token, as referenced in this line.

I am receiving the following error:

invalid_grant: Rack::OAuth2::Client::Error, invalid_grant :: AADSTS54005: OAuth2 Authorization code was already redeemed, please retry with a new valid code or use an existing refresh token. Trace ID: 8e8ddd8d-e70e-4b9e-8d3

*Edit

Looking internal logs I can see the process followed:

1 We call /v2.0/authorize
2 We call /v2.0/token
3 We call https://graph.microsoft.com/oidc/userinfo
4 We call /v2.0/token

An the last request fails.

Please let me know if you need more information.

@bufferoverflow
Copy link
Member

No idea why you mention https://github.com/nov/rack-oauth2/blob/70da234801c53a116c2d8e126bb09f237824af5a/lib/rack/oauth2/client.rb#L71, this gem is not depending on it https://github.com/omniauth/omniauth_openid_connect/blob/master/omniauth_openid_connect.gemspec#L30:L31 . maybe set all the endpoint explicit and disable discovery ?

@ajmartinsanchez
Copy link
Author

Hello @bufferoverflow,

Rack OAuth2 is a requirement for omniauth_openid_connect. You can find more information in the openid_connect.gemspec.

Regarding setting all endpoints explicitly, I am still receiving the same error response.

@bufferoverflow
Copy link
Member

not sure why you need required_state, I suggest removing that. A config that works: https://docs.gitlab.com/ee/administration/auth/oidc.html?tab=Azure+OAuth+2.0#configure-microsoft-azure

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@bufferoverflow @ajmartinsanchez