Get access without a user using Application Scope - AADSTS900144: The request body must contain the following parameter: 'grant_type'

Question

I am using the MS Graph explorer to test an oauth client credential grant flow. I'm following the instructions in the MS Graph documentation Get access without a user

I am making a POST to

https://login.microsoft.com/common/oauth2/v2.0/token

In the Request Body I have the following JSON.

{
    "client_id": "***",
    "scope": "https%3A%2F%2Fgraph.microsoft.com%2F.default",
    "client_secret": "***",
    "grant_type": "client_credentials"
}

When running this query I get the following response:

{
    "error": "invalid_request",
    "error_description": "AADSTS900144: The request body must contain the following parameter: 'grant_type'.
        \r\nTrace ID: **\r\nCorrelation ID: **\r\nTimestamp: 2020-11-23 01:14:49Z",
    "error_codes": [
        900144
    ],
    "timestamp": "2020-11-23 01:14:49Z",
    "trace_id": "**",
    "correlation_id": "**",
    "error_uri": "https://login.microsoft.com/error?code=900144"
}

I'm stumped. From what I can tell, the request body does contain the parameter: 'grant_type'

Any insight on the matter will be greatly appreciated. Thank you

Answer 1

Let's look at the screenshot below. Maybe it will give you some idea.

The difference between them is payload and form data.

Answer 2

This is a very common error. First of all, you cannot use MS Graph explorer to test client credential grant flow. We usually use this tool to call MS Graph api instead of requesting an access token, and MS Graph explorer usually requires users login , when you log in as a user, it will automatically obtain a user token, which you can see in Access token.

If you need to use client credential grant flow to obtain an access token, I recommend you to use postman. In addition, you must note that the request body is not sent in the form of JSON, but in the form of application/x-www-form-urlencoded. See: here.