Menu
Community Note
- Please vote on this issue by adding a
ðŸ‘x8D reaction to the original issue to help the community and maintainers prioritize this request - Please do not leave '+1' or 'me too' comments, they generate extra noise for issue followers and do not help prioritize the request
- If you are interested in working on this issue or have submitted a pull request, please leave a comment
Description
Hello,
I am skipping the community resources to ask this question, because it already is a running ticket with Azure AD support from Microsoft. Where the engineer is now asking me to confirm the following, which I do not read about in the documentation:
On this page: https://docs.microsoft.com/en-us/azure/active-directory/develop/v1-oauth2-client-creds-grant-flow
It shows for a client_secret that it needs to be URL-encoded. My question is, does terraform azurerm provider URL-encode the client_secret by default?
It shows for a client_secret that it needs to be URL-encoded. My question is, does terraform azurerm provider URL-encode the client_secret by default?
I am asking this because our org is currently in the process of changing non-expiring secrets, that terraform pipelines use, to short lived secrets. (secrets created JIT, and removed once pipeline completes/fails)
The non-expiring secrets are not popping out errors at all, but the short lived secrets are popping out errors maybe 10%, 20% or 30% of the time. There is no base line to be found as for when it would pop out the error.
The non-expiring secrets are not popping out errors at all, but the short lived secrets are popping out errors maybe 10%, 20% or 30% of the time. There is no base line to be found as for when it would pop out the error.
The Azure AD engineer is telling me that the logs show it is giving the error because the format of the client_secret is not being accepted because it is not URL-encoded whenever the error occurs.
Just in case, here is the the error:
Getting this error during terraform plan, as well as terraform apply steps.
Current azurerm provider: 1.23.0 & 1.3.1 both tested
Current azurerm provider: 1.23.0 & 1.3.1 both tested
The short lived secret generated is used for the Azure RM provider. I have succesfully completed the terraform apply using this flow. It's just a very unreliable flow with the secret 3 or 4/10 not working because it isn't URL-encoded.
PS: We are not using the Azure AD provider to create anything Azure AD related. In case you're wondering: Azure AD is I&AM (not infrastructure), and we have many other I&AM related challenges that the Azure AD provided cannot help us with.
I have two applications registered under the Azure Portal: a test version and a production version. My test App works fine with the Client Id and ClientSecret/AppKey that I got from the test app's detail from Azure Portal. However when I move to the production one as I replace the ClientId and Secret values with the one specified by the production App I registered, I suddenly get an error:
AdalServiceException: AADSTS70002: Error validating credentials. AADSTS50012: Invalid client secret is provided
But I'm fairly sure that my client secret is correct as I just copied and pasted from the Portal. Is there any solutions to this?
yfan183yfan18317211 gold badge33 silver badges1414 bronze badges
4 Answers
Have you tried simply regenerating the secret?
The error here is pretty straightforward and I do not think it is a fault with AAD.
Let me know if this works out for you!
Shawn TabriziShawn Tabrizi5,72411 gold badge1717 silver badges3838 bronze badges
Encode your secret ( e.g. replace
adiga+
by %2B
, =
by %3D
etc)16.9k66 gold badges2929 silver badges4848 bronze badges
fdulaufdulau
Please check you tenant Id and audience id from your config. You may still have a reference to the test environment.
Toan NguyenToan Nguyen7,85555 gold badges3333 silver badges5050 bronze badges
In my case I had 2 keys. I created a third one, that didn't work. Finally I removed all keys and created a new one, but, just one. Then it worked.
Michael WashingtonMichael Washington
Not the answer you're looking for? Browse other questions tagged azureweb-applicationsasp.net-mvc-5azure-web-sitesazure-ad-graph-api or ask your own question.
I am able to create a resource group with the following ansible playbook in the azure cloud shell, but not from my local pc. Why? I tried to recreate the application/secrets multiple times but nothing worked.
In the azure cloud shell I removed the ~/.azure folder completely but it works nonetheless. On my local pc I get this error: AADSTS7000215: Invalid client secret is provided.
But how can that be? The secret works well if it is used from within the azure cloud shell.
Tobias NeubertTobias Neubert
2 Answers
I can reappear the error that happened to you:
From the error it shows the core problem you meet:
InvalidClientError: (invalid_client) AADSTS7000215: Invalid client secret is provided.
So you must input the wrong secret of the service principal. For service principal secret, you just can see it when you create. So I suggest you can reset the secret through CLI command
az ad sp credential reset
if you really do not remember it. Fallout new vegas user interface organizer.Also, you can check if the secret of your service principal is right through the CLI command:
In addition, when you use the Cloud Shell to execute ansible, it means Automatic credential by Azure. See Automatic credential configuration
When signed into the Cloud Shell, Ansible authenticates with Azure to manage infrastructure without any additional configuration.
The screenshot below is the result of my test:
Charles XuCharles Xu7,29111 gold badge33 silver badges1212 bronze badges
The solution was to regenerate my client secret until I get one without special characters like '&' and '. :-(
Tobias NeubertTobias Neubert
Not the answer you're looking for? Browse other questions tagged azureansibleazure-aks or ask your own question.
I am developing the integration for Microsoft One Note with third party application using OAuth 2.0
And I have successfully authorised my Microsoft O365 account and provided my consent, but unable to get access token after the successful authorisation.
Error Message looks like : Invalid client secret is provided. Timestamp: 2019-03-19 07:52:28Z
One Note Documentation : enterprise notebooks on Office 365 integration
halfer15.1k77 gold badges6060 silver badges122122 bronze badges
somasundaramsomasundaram
1 Answer
As the document states format should be like below
You are providing invalid client secret key while you are requesting API
See the screen shot below and make sure you are providing right one
Note:
Check your EXPIRES of key as never expires
Update:
In your case you have to follow two step to get your access token
- First need to get authorization code
- Request for token with that authorization code
Authorization code request sample
Token Request sample with authorization code
Md Farid Uddin KironMd Farid Uddin KironAadsts7000215: Invalid Client Secret Is Provided Code
3,00533 gold badges44 silver badges2222 bronze badges
Aadsts9002317 Invalid Issuer Specified
Got a question that you can’t ask on public Stack Overflow? Learn more about sharing private information with Stack Overflow for Teams.