[bug]: AADSTS7000215: Invalid client secret provided even with valid secret
Breee opened this issue · comments
Is there an existing issue for this?
- I have searched the existing issues
Current behavior
Env vars:
MICROSOFT_CLIENT_ID=<client>
MICROSOFT_CLIENT_SECRET=<secret>
MICROSOFT_SCOPE=user.read
MICROSOFT_TENANT=<tenant>
MICROSOFT_CALLBACK_URL=https://backend.example.com/v1/auth/microsoft/callback
VITE_ALLOWED_AUTH_PROVIDERS=MICROSOFT
With a fresh created secret in my Azure App registration leads to:
[Nest] 42 - 02/28/2024, 10:59:21 AM ERROR [ExceptionsHandler] AADSTS7000215: Invalid client secret provided. Ensure the secret being sent in the request is the client secret value, not the client secret ID, for a secret added to app '<client>'. Trace ID: <trace_id> Correlation ID: <correlation_id> Timestamp: 2024-02-28 10:59:21Z
I'm using terraform to deploy the app registration:
[...]
resource "azuread_application" "aadclient" {
display_name = "${var.dns_name}"
sign_in_audience = "AzureADMyOrg"
owners = concat([data.azuread_client_config.current.object_id], data.azuread_users.application_owner_list.object_ids)
web {
redirect_uris = [
"https://backend.${var.dns_name}/v1/auth/microsoft/callback"
]
implicit_grant {
access_token_issuance_enabled = true
id_token_issuance_enabled = true
}
}
app_role {
allowed_member_types = ["User", "Application"]
description = "Hoppscotch owner Users"
display_name = "Hoppscotch owner"
enabled = true
id = random_uuid.owner_role_uuid.result
value = "OWNER"
}
app_role {
allowed_member_types = ["User", "Application"]
description = "Hoppscotch Editor Users"
display_name = "Hoppscotch Editor"
enabled = true
id = random_uuid.editor_role_uuid.result
value = "EDITOR"
}
app_role {
allowed_member_types = ["User", "Application"]
description = "Hoppscotch Viewer Users"
display_name = "Hoppscotch Viewer"
enabled = true
id = random_uuid.viewer_role_uuid.result
value = "VIEWER"
}
}
## Client Secrets will expire at some point, so they have to rotate
resource "time_rotating" "client_secret_rotation_days" {
rotation_days = 120
}
resource "azuread_application_password" "client_secret" {
application_object_id = azuread_application.aadclient.object_id
display_name = "${var.dns_name}"
rotate_when_changed = {
rotation = time_rotating.client_secret_rotation_days.id
}
}
[...]
The correct client ID and secret is passed to hoppscotch.
It used to work, so i don't know what changed.
Steps to reproduce
Environment
Production
Version
Self-hosted
Tested the setup:
2023.8.4 works
2023.12.0 broken
2023.12.5 broken
2023.12.6 broken