invalid_grant :: AADSTS54005: OAuth2 Authorization code was already redeemed, please retry with a new valid code or use an existing refresh token on authorize request

[ajmartinsanchez]

Hi Everybody,

I am experiencing the title issue. I configured everything correctly, and this error occurs just before executing authorization. In Microsoft documentation, I found a similar error. They recommend changing the redirect URI, but I can't apply this solution because the entire process is automated by the library.

Does anyone know how to fix this?

[bufferoverflow]

the redirect_uri is a configuration parameter, see https://github.com/omniauth/omniauth_openid_connect?tab=readme-ov-file#usage , maybe share your config and some more details about the software you are using along with omniauth_openid_connect

[ajmartinsanchez]

Hello @bufferoverflow thanks for you answer,

Here is my configuration:

issuer: 'https://login.microsoftonline.com/{tenant}/v2.0'
scope:
    - openid
    - email
response_type: code
discovery: true
required_state: false
client_options:
    scheme: https
    port: 443
    host: 'login.microsoftonline.com'
    identifier: {identifier}
    secret: {secret}
    redirect_uri: {uri_to_redirect}

When the process starts, our platform calls /authorize, and it seems to work fine. However, I believe the problem occurs during the second call when the library calls /token, as referenced in this line.

I am receiving the following error:

invalid_grant: Rack::OAuth2::Client::Error, invalid_grant :: AADSTS54005: OAuth2 Authorization code was already redeemed, please retry with a new valid code or use an existing refresh token. Trace ID: 8e8ddd8d-e70e-4b9e-8d3

*Edit

Looking internal logs I can see the process followed:

1 We call /v2.0/authorize 2 We call /v2.0/token 3 We call https://graph.microsoft.com/oidc/userinfo 4 We call /v2.0/token

An the last request fails.

Please let me know if you need more information.

[bufferoverflow]

No idea why you mention https://github.com/nov/rack-oauth2/blob/70da234801c53a116c2d8e126bb09f237824af5a/lib/rack/oauth2/client.rb#L71, this gem is not depending on it https://github.com/omniauth/omniauth_openid_connect/blob/master/omniauth_openid_connect.gemspec#L30:L31 . maybe set all the endpoint explicit and disable discovery ?

[ajmartinsanchez]

Hello @bufferoverflow,

Rack OAuth2 is a requirement for omniauth_openid_connect. You can find more information in the openid_connect.gemspec.

Regarding setting all endpoints explicitly, I am still receiving the same error response.

[bufferoverflow]

not sure why you need required_state, I suggest removing that. A config that works: https://docs.gitlab.com/ee/administration/auth/oidc.html?tab=Azure+OAuth+2.0#configure-microsoft-azure