oauth2 error AADSTS90014: The request body must contain the following parameter: 'grant_type'

http oauth-2.0 bearer-token windev
Adjan picture Adjan · Mar 27, 2018 · Viewed 60.5k times · Source

From the development in Windev I use Oauth 2.0 for authorization to get access to the outlook mail from a user.

The application is registered at https://apps.dev.microsoft.com without the Implicit workflow. After the user enters the credentials, an Authorization Code is returned. With the new code the Bearer Token is requested with a HTTP Post command.

So far, so good.

Only that the response gives an error message that makes no sense to me.

In code:

m_sHTTPUrl = "client_id=" + m_sClientID + "&client_secret=" ...
    + m_sClientSecret ...
    + "&redirect_uri=" + m_sRedirectURL + "&code=" + m_sAuthToken ...
    + "&grant_type=authorization_code"
m_sHTTPres = ""
LogLocalFile("GetAccessToken - " + m_sTokenURL + " // " + m_sHTTPUrl) 

cMyRequest is httpRequest
cMyRequest..Method = httpPost
cMyRequest..URL = m_sTokenURL
cMyRequest..ContentType = "application/x-www-form-urlencoded"
cMyRequest..Header["grant_type"] = "authorization_code"
cMyRequest..Header["code"] = m_sAuthToken
cMyRequest..Header["client_id"] = m_sClientID
cMyRequest..Header["client_secret"] = m_sClientSecret
cMyRequest..Header["scope"] = m_sScope
cMyRequest..Header["redirect_uri"] = m_sRedirectURL
//cMyRequest..Content = m_sHTTPUrl
cMyResponse is httpResponse = HTTPSend(cMyRequest)
m_sHTTPres = cMyResponse.Content

In a logfile I requested the used parameters and the content of the httpResponse:

GetAccessToken - https://login.microsoftonline.com/common/oauth2/v2.0/token // grant_type=authorization_code
&code=xxxxxxx
&scope=openid+offline_access+User.Read+Email+Mail.Read+Contacts.Read
&redirect_uri=http://localhost/
&client_id=xxxxxxx
&client_secret=xxxxxxx

GetAccessToken - error = invalid_request
GetAccessToken - error_description = AADSTS90014: The request body must contain the following parameter: 'grant_type'.

The grant_type is in the header as it is supposed to be.

Does anybody have any clue of what is needed to get the OAUTH2 working ?

Answer

Rajashekar Shingarapu picture Rajashekar Shingarapu · Mar 5, 2019

You shouldn't send grant_type neither in params nor in headers. Those should be sent in body params then only it will work.

Url: https://login.microsoftonline.com/common/oauth2/v2.0/token client_id, scope and redirect_uri params can be sent as query params. where as grant_type, code and client_secret should sent in body params.

grant_type:authorization_code, 
code: {code you got from the authorization step}, 
client_secret: ****

Related questions

Correct way to set Bearer token with CURL

I get my bearer token from an API end point and set the following: $authorization = "Bearer 080042cad6356ad5dc0a720c18b53b8e53d4c274" Next I want to use CURL to access the secure endpoint however I am …

Read More
OAuth 2.0 Authorization Header

I want to develop a SDK that encapsules the OAuth 2.0 functions. I have checked the differences between OAuth 1.0 & 2.0, and I have some confusion on Authorization Header (1.0 and 2.0), OAuth 1.0 protocol parameters can be transmitted using the HTTP "Authorization" header, but …

Read More
Adding http headers to window.location.href in Angular app

I have a angular app that I needed to redirect outside to a non angular html page, so I thought I could just use the $window.location.hrefto redirect the angular app to my external site. This actually works fine, …

Read More