AADSTS50012: Invalid client secret is provided when moving from a Test App to Production

Question

I have two applications registered under the Azure Portal: a test version and a production version. My test App works fine with the Client Id and ClientSecret/AppKey that I got from the test app's detail from Azure Portal. However when I move to the production one as I replace the ClientId and Secret values with the one specified by the production App I registered, I suddenly get an error:

AdalServiceException: AADSTS70002: Error validating credentials. AADSTS50012: Invalid client secret is provided

But I'm fairly sure that my client secret is correct as I just copied and pasted from the Portal. Is there any solutions to this?

score 37 · Answer 1 · edited Nov 21 '17 at 07:19

37

Encode your secret ( e.g. replace + by %2B , = by %3D etc)

edited Nov 21 '17 at 07:19

adiga

34,372
9
61
83

answered Nov 21 '17 at 07:16

fdulau

371
1
3
3

Thank you! My web app stopped working, even though the secret would be still valid for years. An extra `urlencode()` did the job for the PHP library being used (https://github.com/jumbojett/OpenID-Connect-PHP). – Yirkha Mar 03 '18 at 01:05
What about the space before and after + and =? Do we have to use %? – Incredible Jul 12 '18 at 13:26
1

I just ran into this problem: It's perhaps worth emphasizing that the client_secret needs to be urlencoded/%- even if it's been sent as part of an HTTP Basic auth header where the whole thing will be base64-encoded anyway. – bjmc Jan 25 '19 at 17:20
1

Yup looks like this is a URL encoding issue. I kept regenerating my client secret until I got one with mostly basic upper and lower case characters. It would be nice to know the exact encoding Microsoft is looking for. – Christian Gossain Apr 20 '19 at 20:29
This saved the day! We were stuck in AzureDataFactory and replace helped. – Prabhat G Oct 06 '22 at 06:52

score 14 · Accepted Answer · answered Feb 27 '17 at 20:14

14

Have you tried simply regenerating the secret?

The error here is pretty straightforward and I do not think it is a fault with AAD.

Let me know if this works out for you!

answered Feb 27 '17 at 20:14

Shawn Tabrizi

12,206
1
38
69

1

My problem was that my key from the Azure portal had expired. Generating a new one with a new expiration date fixed it. – David Jul 18 '17 at 20:57
6

Not sure if this was implied here already, but I fixed this error by making a new secret key in `Azure Active Directory` for my client - not a key in Azure Key Vault, which threw me off. Azure Portal > Active Directory > App Registrations > (your app) > Settings > Keys. My key here was expired. – GraehamF Nov 21 '18 at 01:06

Uriel · Answer 3 · 2023-02-20T16:42:47.330

5

This may sound stupid but as it happened to me, it could happen to someone else (as clueless as me): The code you need to use is not the one that says "Secret ID" but the one that says "value".

edited Feb 20 '23 at 16:42

answered Sep 01 '22 at 18:36

Uriel

352
5
17

Yeap that's my case, i am stupid :D – Vipertecpro Dec 26 '22 at 08:15
1

Thank you for this answer. Didn't happen to me but when another company sent us the app registration information I told my coworkers it was wrong and no one believed me (No one had tried using it yet and these were mostly non-tech people). This helped me prove to them it was the wrong value. It shouldn't look like a GUID!! =] – AtheistP3ace Jul 18 '23 at 12:49

score 2 · Answer 4 · answered Oct 23 '21 at 18:22

The problem is the Expire time of the secret. With 6,12,18 months there is no problem, I am using azure-cli 2.26.0 With 24 months you get the error:

{"error":"invalid_client","error_description":"AADSTS7000215: Invalid client secret is provided.\r\nTrace ID: fef57aee-deeb-47fa-ae05-ba8427cd4300\r\nCorrelation ID: ba3cc2d5-1594-4af3-be2b-3b35e8d40e06\r\nTimestamp: 2021-10-23 18:18:27Z","error_codes":[7000215],"timestamp":"2021-10-23 18:18:27Z","trace_id":"fef57aee-deeb-47fa-ae05-ba8427cd4300","correlation_id":"ba3cc2d5-1594-4af3-be2b-3b35e8d40e06","error_uri":"https://login.microsoftonline.com/error?code=7000215"}

score 1 · Answer 5 · answered Oct 30 '18 at 17:03

1

In my case I had 2 keys. I created a third one, that didn't work. Finally I removed all keys and created a new one, but, just one. Then it worked.

answered Oct 30 '18 at 17:03

Michael Washington

2,744
20
29

this is the only thing (out of other answers) that worked in 2022, thanks – Huzaifa Jul 07 '22 at 00:00
Same here. This is a Microsoft bug – Fnaxiom Mar 30 '23 at 15:08

score 1 · Answer 6 · edited Sep 05 '22 at 07:38

1

Maybe this will help some lost souls.

I had my secret setup in secrets.json at the beginning of the project, which I forgot. After the secret expired, I tried updating updated the appsettings.json to no avail, until I remembered and changed it in secrets.json. This was a test project run only locally. You could also have it in the env variables which also takes precedence over appsettings.

edited Sep 05 '22 at 07:38

ph0enix

763
2
8
23

answered Aug 26 '22 at 11:47

pykos

43
4

Thanks, I've been banging my head against this issue all weekend and this was the solution. – LlamaNL Mar 13 '23 at 10:35

score 0 · Answer 7 · answered May 25 '23 at 20:11

I experienced this issue when working on deploying a docker image to a virtual machine on Azure using Azure DevOps.

My initial Azure DevOps pipeline script was:

- stage: Deploy
  displayName: Deploy to VM
  jobs:
    - job: Deploy_to_VM
      displayName: Deploy to Virtual Machine
      steps:
        - task: AzureCLI@2
          displayName: Connect to Azure and deploy
          inputs:
            azureSubscription: $(AzureSubscription)
            scriptType: 'bash'
            scriptLocation: 'inlineScript'
            inlineScript: 'az vm run-command invoke -g $(rGroup) -n $(vmName) --command-id RunShellScript --scripts "docker pull $(containerRegistry).azurecr.io/$(imageName):$(tag) && docker service update --replicas=1 --force --image $(containerRegistry).azurecr.io/$(imageName):$(tag) $(imageName)_app"'

Here's how I fixed it:

Adding the command az acr login --name $(containerRegistry) to the az vm run-command did the trick`

- stage: Deploy
  displayName: Deploy to VM
  jobs:
    - job: Deploy_to_VM
      displayName: Deploy to Virtual Machine
      steps:
        - task: AzureCLI@2
          displayName: Connect to Azure and deploy
          inputs:
            azureSubscription: $(AzureSubscription)
            scriptType: 'bash'
            scriptLocation: 'inlineScript'
            inlineScript: 'az vm run-command invoke -g $(rGroup) -n $(vmName) --command-id RunShellScript --scripts "az acr login --name $(containerRegistry) && docker pull $(containerRegistry).azurecr.io/$(imageName):$(tag) && docker service update --replicas=1 --force --image $(containerRegistry).azurecr.io/$(imageName):$(tag) $(imageName)_app"'

score -1 · Answer 8 · answered Feb 27 '17 at 06:10

-1

Please check you tenant Id and audience id from your config. You may still have a reference to the test environment.

answered Feb 27 '17 at 06:10

Toan Nguyen

11,263
5
43
59

The tenant Id is the same as I'm using the same directory. And I don't have an audience Id so I don't think that would be the problem either – yfan183 Feb 27 '17 at 09:48
If you can post your code or some screenshots, then it would be clearer to see what happened. – Toan Nguyen Feb 27 '17 at 09:51

AADSTS50012: Invalid client secret is provided when moving from a Test App to Production

8 Answers8

Linked