Home > Net >  Azure AD error while parsing OAuth2 callback: invalid_client
Azure AD error while parsing OAuth2 callback: invalid_client

Time:04-08

I have an application registered in Azure AD using https://docs.microsoft.com/en-us/azure/active-directory/develop/quickstart-register-app When trying to login to my app to connect to Microsoft Login. I am getting invalid client error. In logs I seen following error.

error=invalid_client&error_description="AADSTS650052 The app needs access to a service (https://aks-aad-server.azure.com) that your organization xxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxx has not subscribed to or enabled. Contact your IT Admin to review the configuration of your service subscriptions"

Note: I have Microsoft Office 365 standard subscription plan,

CodePudding user response:

AADSTS650052 The app needs access to a service (https://aks-aad-server.azure.com) that your organization xxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxx has not subscribed to or enabled. Contact your IT Admin to review the configuration of your service subscriptions

To resolve the above error, please check the below workarounds

  • While registering the application in Azure AD, check the supported account type you have selected

  • If you selected “single tenant” you can’t login to your application
    from different tenant

  • To access your application from different tenant update supported
    account type to “multi-tenant”

To know how to do that in detail refer this link:

https://docs.microsoft.com/en-us/azure/active-directory/develop/howto-convert-app-to-be-multi-tenant#update-registration-to-be-multi-tenant

  • After registering the application, navigate to Exposing an API and set App ID URI and Add required scopes such as read, user impersonation etc.

  • Add Client ID of your Application to knownClientApplications parameter in the Manifest

Your admin needs to accept the consent prompt to access this application use the below URL by updating the ClientID parameter with your application client-id

https://login.microsoftonline.com/common/oauth2/authorize?client_id=1a8e25b8-xxxx-xxxx-xxxx-xxxxxxxxxxxx&prompt=admin_consent&response_type=code 

When your admin granted those permission, you can login to your application successfully

Reference :

https://docs.microsoft.com/en-us/answers/questions/28697/invalid-client-aadsts650052-the-app-needs-access-t.html

CodePudding user response:

Found the wrong scope in the oauth2-proxy configuration which sending incorrect request to azure and after updating the scope to correct the issue is resolved.

  • Related