Ran into an error while attempting to fetch the access_token

[alicetsai2001]

In the Microsoft Graph API Auth tooling page, when proceeding step 5, I encountered the following message...

{"error":"invalid_request",
"error_description":"AADSTS90023: Cross-origin token redemption is permitted only for the 'Single-Page Application' client-type.

As shown, it wants a Single-Page Application; however, the platform we are after is Web...

[spencerwooo]

OK. So it's not just me who is running into this problem. I think the original online token generation tool is broken for "Step 5 - Exchange Access Token", i.e, fetching the access_token and the refresh_token. I was able to fetch the code using the online tool in "Step 4 - Authorize for code", and make a POST request manually to https://login.microsoftonline.com/common/oauth2/v2.0/token using Insomnia for the refresh_token.

---

Resolving the problem (en_US)

The request should be structured as follows:

POST https://login.microsoftonline.com/common/oauth2/v2.0/token
Content-Type: application/x-www-form-urlencoded

client_id={client_id}&redirect_uri={redirect_uri}&client_secret={client_secret}
&code={code}&grant_type=authorization_code

And for Chinese 21Vianet OneDrive users.

POST https://login.chinacloudapi.cn/common/oauth2/v2.0/token
Content-Type: application/x-www-form-urlencoded

client_id={client_id}&redirect_uri={redirect_uri}&client_secret={client_secret}
&code={code}&grant_type=authorization_code

解决办法（zh_CN）

最后一步需要如下构造请求：

POST https://login.microsoftonline.com/common/oauth2/v2.0/token
Content-Type: application/x-www-form-urlencoded

client_id={client_id}&redirect_uri={redirect_uri}&client_secret={client_secret}
&code={code}&grant_type=authorization_code

对 OneDrive 世纪互联用户来说：

POST https://login.chinacloudapi.cn/common/oauth2/v2.0/token
Content-Type: application/x-www-form-urlencoded

client_id={client_id}&redirect_uri={redirect_uri}&client_secret={client_secret}
&code={code}&grant_type=authorization_code

---

This authorization process is documented at: Authorization and sign-in for OneDrive in Microsoft Graph | Code flow. Can you try this method?

[alicetsai2001]

Also works in my case - many thanks!!!

[spencerwooo]

All right, I'll leave a note in README.md afterwards.

[beetcb]

Considering @spencerwooo had already demonstrated Chinese 21Vianet OneDrive 's manually POST method， I changed my fork README.md to ( just ) a quick tutorial ( in Chinese ) . Respect 😎

[NeoBlizzard-verbose]

My apologies for reopening this issue, but it looks like the redirect_uri is invalid now. It shows an error redirect_uri value must be a valid absolute URI everytime I try to get the code. Any help is greatly appreciated :)

[spencerwooo]

My apologies for reopening this issue, but it looks like the redirect_uri is invalid now. It shows an error redirect_uri value must be a valid absolute URI everytime I try to get the code. Any help is greatly appreciated :)

@riglaze Which step? Did you try using Postman / Insomnia to perform the second request manually?

[NeoBlizzard-verbose]

@riglaze Which step?

Step 5, the process in which the user gets the refresh_token. I used the guide you linked, but it gives me that error

Did you try using Postman / Insomnia to perform the second request manually?

Not yet. Will give it a shot soon

[spencerwooo]

Step 5, the process in which the user gets the refresh_token.

My apologies if I haven't made this totally clear. The online tool is broken for step 5 along with all further steps, for the step to get the refresh_token you'll have to perform the actual request manually.

1. USE THE ONLINE TOOL on "4. Authorize for code" to get a valid Code for the next step.
2. USE YOUR OWN TOOL TO PERFORM A REQUEST instead of using the online tool's "5. Exchange Access Token".

After these two steps, you'll get what you need: your access_token and your refresh_token.

[NeoBlizzard-verbose]

Step 5, the process in which the user gets the refresh_token.

My apologies if I haven't made this totally clear. The online tool is broken for step 5 and all further steps, for the step to get the refresh_token you'll have to perform the actual request manually.

1. USE THE ONLINE TOOL on "4. Authorize for code" to get a valid Code for the next step.
2. USE YOUR OWN TOOL TO PERFORM A REQUEST instead of using the online tool's "5. Exchange Access Token".

After these two steps, you'll get what you need: your access_token and your refresh_token.

Thanks for the help. It is clear now

[rokibhasansagar]

On Step 5. Exchange Access Token from https://heymind.github.io/tools/microsoft-graph-api-auth, I got refresh_token of 1031 character.
EDIT: I tried manual method using Postman, still getting tokens of same length

Then on last step Refresh Token, I pasted that token and got back another token of 1038 character.

I guess the final one is the token which needs to be on the CF Worker.

But CF Worker does not accept secret/token larger than 1kB and I get error while putting secret through wrangler, Your secret is too large, it must be 1kB or less.

What should be done?

[spencerwooo]

@rokibhasansagar See #58 if you can read Chinese, basically it's just a matter of storing your over-length access token through Cloudflare KV storage instead of Cloudflare secrets.

[xiaoxin2007]

@spencerwooo Can you write it in Chinese? I also met this problem but I can't read it. I can't read English, please.

[polychromate]

When i use insomnia, it always show me error70000, I don't know why.

[beetcb]

hi @polychromate , looks like code has expired, try to refresh it(the authorization code).

[polychromate]

@beetcb I resend a new code, now it shows me error70011.

The provided value for the input parameter 'scope' is not valid. The scope 'offline_access$20Files.Read Files.Read.All' does not exist.

[beetcb]

Plz do read error_description carefuly, it complains a invalid scope which should be like this screenshot:

[spencerwooo]

@polychromate Please open a new issue to discuss your problems. ❤️