locked
Encountered error during OAuth token request. RRS feed

  • Question

  • Hi, 

    We have encountered this error and cannot find any information on how to overcome this. 

    Error Message:

    Encountered error during OAuth token request.

    Additional Data

    Exception details:
    Microsoft.IdentityServer.Web.Protocols.OAuth.Exceptions.OAuthAccessTokenInvalidAuthorizationCodeException: MSIS9252: The authorization code received is invalid. No artifact found for the specified authorization code: '(code removed)'. The cause may be that artifact has timed out, or the authorization code was replayed, or the authorization code is invalid.

       at Microsoft.IdentityServer.Web.Protocols.OAuth.OAuthToken.OAuthTokenProtocolHandler.RedeemAccessToken(OAuthAccessTokenRequestContext tokenContext)

    Settings: 

    RedirectUri : {beta.housingmaintenancesolutions.org/backend/lmh/ssologin/OauthLogin/} (DEV SERVER)
    Name        : HmsWebsiteBetaClient
    Description :
    ClientId    : hms-beta-website
    BuiltIn     : False
    Enabled     : True
    ClientType  : Public

    RedirectUri : {lmh00432/octtheme/backend/lmh/ssologin/OauthLogin/} (LOCALHOST)
    Name        : HmsWebsiteDevClient
    Description :
    ClientId    : hms-dev-website
    BuiltIn     : False
    Enabled     : True
    ClientType  : Public

    This has been tested and works perfectly on Localhost, but not on the development server. 

    Thanks for your assistance. 


    • Edited by Reez_R Friday, January 6, 2017 11:43 AM
    Friday, January 6, 2017 11:21 AM

All replies

  • What version of ADFS are you using?

    What OAuth flow? - it looks like authorisation code grant.

    In which case you should have a parameter like "code = xxx".

    If you do, then the error is normally as per the message i.e. time out / you have already used this code / this code was not issued by ADFS etc.

    Sunday, January 8, 2017 6:19 PM
  • Hi, 

    Thanks for your reply. 

    We are currently using ADFS version 3.0; 

    We are successfully getting an authorization code after logging in to ADFS but for some reason it doesn't seem to recognise this code once it is passed back to the application. 

    As I've mentioned in my initial message; it is working perfectly on locahost, which uses these settings;

    RedirectUri : {lmh00432/octtheme/backend/lmh/ssologin/OauthLogin/} (LOCALHOST)
    Name        : HmsWebsiteDevClient 
    Description : 
    ClientId    : hms-dev-website 
    BuiltIn     : False 
    Enabled     : True 
    ClientType  : Public

    But the very same code and application doesn't work on the development server; 

    RedirectUri : {beta.housingmaintenancesolutions.org/backend/lmh/ssologin/OauthLogin/} (DEV SERVER)
    Name        : HmsWebsiteBetaClient 
    Description : 
    ClientId    : hms-beta-website 
    BuiltIn     : False 
    Enabled     : True 
    ClientType  : Public

    As you can see from the above, the only difference is the ClientId and the Redirect URI. So what do you think could be the issue? 

    Kind Regards, 

    Monday, January 9, 2017 10:07 AM
  • Is there anything in the ADFS event log?

    I'm sure you've done this but just checking that when you say "very same code and application", the web.config is different to reflect the different ClientID etc.?

    If you use Fiddler or similar, is there anything different in the two requests / responses? (other than expected differences).

    Does clearing cookies help?

    If you are authenticating with two different users, are there any differences between them?

    • Edited by nzpcmad1 Monday, January 9, 2017 7:27 PM Expand
    Monday, January 9, 2017 7:23 PM
  • In the event log there’s an error complaining about the authorization code received being invalid:

    Microsoft.IdentityServer.Web.Protocols.OAuth.Exceptions.OAuthAccessTokenInvalidAuthorizationCodeException: MSIS9252: The authorization code received is invalid. No artifact found for the specified authorization code: (code removed)'. The cause may be that artifact has timed out, or the authorization code was replayed, or the authorization code is invalid.

       at Microsoft.IdentityServer.Web.Protocols.OAuth.OAuthToken.OAuthTokenProtocolHandler.RedeemAccessToken(OAuthAccessTokenRequestContext tokenContext)

    An earlier post shows our configuration of the two different client IDs and their redirect URIs that have been set up in ADFS, these correspond to the two client IDs and URIs provided by the two different instances of the application when calling the /oauth2/token endpoint.

    The development environment uses the hms-dev-website client ID and works fine. The test environment uses the hms-beta-website client ID, that I’ve confirmed with a debugger and watched it call the /oauth2/authorise endpoint with the correct client id as a query parameters (“client” and “resource”).

    The authorisation codes received are different each time, and I’ve confirmed it’s only ever sending the code it gets back from ADFS immediately after receiving it.

    The only thing I can think that might be confusing the situation is that while there are two client-ids set up, I’ve only set up one Relying Party Trust in ADFS but with both of the client IDs as “Relying party identifiers”.

    Another thing to note is that we have 2 ADFS servers fronted by a web application proxy that load-balances between them. 

    We have tested different authenticated users but we get the same result. 

    Tuesday, January 10, 2017 10:15 AM
  • We are also experiencing this issue.  Were you ever able to find the answer to this question?

    Is Development in an ADFS farm?  What backing database does it use?  WID or SQLServer?

    Thanks


    Thursday, January 30, 2020 6:10 PM