Uploaded image for project: 'Qt'
  1. Qt
  2. QTBUG-97791

QOAuth2AuthorizationCodeFlow refreshToken does not work with Azure (Bad Request)



    • Bug
    • Resolution: Out of scope
    • P2: Important
    • None
    • 6.2.0
    • None
    • Windows 10 20H2
    • All


      The attached example project shows a working and broken example for refreshing access tokens against Azure.
      The working example is just a lucky hack that seems to work for me, the broken example should just work in my opinion.

      The Azure instance is a just a playground setup for me so I can share it:
      User: LeeG@bitfactoryat.onmicrosoft.com
      Password: ASecretPassword_123

      The attached pdf shows how to setup Azure for this example app.  

      How to reproduce:

      1. Start attached example app
      2. Click button "Switch to bad example"
      3. Click button "Grant"
      4. Your browser will open with the login page -> login
      5. The app will show the access token and refresh token
      6. Click button "Refresh"
      7. The app shows no new tokens, in the console an error is displayed


      The error is:

      Bad Request:  "{\"error\":\"invalid_request\",\"error_description\":\"AADSTS90009: Application '54fca61a-c1fd-47c0-9ffd-5751c4898b8c'(54fca61a-c1fd-47c0-9ffd-5751c4898b8c) is requesting a token for itself. This scenario is supported only if resource is specified using the GUID based App Identifier.\\r\\nTrace ID: a4da4ec0-6d33-4578-ae0d-b14f974f1200\\r\\nCorrelation ID: 3f70644e-e43f-423d-a1d1-d5d6c673ec66\\r\\nTimestamp: 2021-10-27 08:19:13Z\",\"error_codes\":[90009],\"timestamp\":\"2021-10-27 08:19:13Z\",\"trace_id\":\"a4da4ec0-6d33-4578-ae0d-b14f974f1200\",\"correlation_id\":\"3f70644e-e43f-423d-a1d1-d5d6c673ec66\"}"
      qt.networkauth.replyhandler: Error transferring https://login.microsoftonline.com/424419bb-b275-4229-ac95-537d384059de/oauth2/v2.0/token - server replied: Bad Request

      https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-auth-code-flow - The Microsoft docs mention the scope for the refresh token request is optional, but in this case it does not seem to be true.

      It works with this modification "Qt\6.2.0\Src\qtnetworkauth\src\oauth\qoauth2authorizationcodeflow.cpp":

      diff --git "a/Qt\\6.2.0\\Src\\qtnetworkauth\\src\\oauth\\qoauth2authorizationcodeflow.cpp.org" "b/Qt\\6.2.0\\Src\\qtnetworkauth\\src\\oauth\\qoauth2authorizationcodeflow.cpp"
      index aa9204b..6bc490c 100644
      --- "a/Qt\\6.2.0\\Src\\qtnetworkauth\\src\\oauth\\qoauth2authorizationcodeflow.cpp.org"
      +++ "b/Qt\\6.2.0\\Src\\qtnetworkauth\\src\\oauth\\qoauth2authorizationcodeflow.cpp"
      @@ -327,6 +327,7 @@ void QOAuth2AuthorizationCodeFlow::refreshAccessToken()
           parameters.insert(Key::redirectUri, QUrl::toPercentEncoding(callback()));
           parameters.insert(Key::clientIdentifier, d->clientIdentifier);
           parameters.insert(Key::clientSharedSecret, d->clientIdentifierSharedKey);
      +	parameters.insert(Key::scope, d->scope);
           if (d->modifyParametersFunction)
               d->modifyParametersFunction(Stage::RefreshingAccessToken, &parameters);
           query = QAbstractOAuthPrivate::createQuery(parameters);


       If I can be of any help please let me know.


        No reviews matched the request. Check your Options in the drop-down menu of this sections header.



            jefernan Jesus Fernandez
            Marscho Marscho
            0 Vote for this issue
            2 Start watching this issue



              Gerrit Reviews

                There are no open Gerrit changes