Azure Login Failures on Specific Environments

kyleflanagan · February 28, 2024, 3:59pm

What I’m trying to do: Login using Azure AD SSO in both my QA and prod environments using the Microsoft Integration.

What I’ve tried and what’s not working: I’ve tried making changes to my qa branch to force a redeploy, but the QA deployment is still using an old token. Prod is working correctly.

I’ve verified that the QA is in fact using an old token because between lines 1 and 2 of the logs below, I deleted the old token from the Azure portal. Note the error changes from “client secret expired” to “invalid client secret”.

Exception: FAILED TO GET ACCESS TOKEN: {"error":"invalid_client","error_description":"AADSTS7000222: The provided client secret keys for app 'a8e65e4a-19a8-489b-a30e-aaaaaaaaaaaa' are expired. Visit the Azure portal to create new keys for your app: https://aka.ms/NewClientSecret, or consider using certificate credentials for added security: https://aka.ms/certCreds. Trace ID: 42777275-94c8-4cd5-888c-ca23b10ee800 Correlation ID: d6b9e7d9-083c-4596-b0a9-e9d3fa098175 Timestamp: 2024-02-27 16:43:46Z","error_codes":[7000222],"timestamp":"2024-02-27 16:43:46Z","trace_id":"42777275-94c8-4cd5-888c-ca23b10ee800","correlation_id":"d6b9e7d9-083c-4596-b0a9-e9d3fa098175","error_uri":"https://login.microsoftonline.com/error?code=7000222"}
at Main, line 24
Exception: FAILED TO GET ACCESS TOKEN: {"error":"invalid_client","error_description":"AADSTS7000215: Invalid client secret provided. Ensure the secret being sent in the request is the client secret value, not the client secret ID, for a secret added to app 'a8e65e4a-19a8-489b-a30e-aaaaaaaaaaaa'. Trace ID: 6cfe2709-1b1e-4c81-ac49-854dfa54e300 Correlation ID: fcdd21fa-69f6-4ff7-b61c-c1395c660229 Timestamp: 2024-02-27 16:44:26Z","error_codes":[7000215],"timestamp":"2024-02-27 16:44:26Z","trace_id":"6cfe2709-1b1e-4c81-ac49-854dfa54e300","correlation_id":"fcdd21fa-69f6-4ff7-b61c-c1395c660229","error_uri":"https://login.microsoftonline.com/error?code=7000215"}
at Main, line 24

This occurs regularly after token expiration where one environment seems to not get updated with the new secret. Last time this happened, QA was fine, but prod was not. Only solution was to generate multiple secrets in the Azure portal and keep updating the Microsoft Integration settings with the new secret until both environments “took”.

Can I manually force a rebuild of an environment or otherwise force my QA environment to re-read the secret token?

kyleflanagan · March 12, 2024, 9:46pm

Selfish bump since we’re still having issues with this.

kyleflanagan · March 25, 2024, 4:35pm

For anyone else who comes across this issue, the only resolution seems to be generating a new client secret in the Azure portal and choosing the “Update Client Secret” option in the Microsoft module. Afterwards, if you cross your fingers, you should be able to use Azure login across environments.

If one environment doesn’t work, rinse and repeat until they eventually all work. Kinda insane, but it’s how I was able to get it to work.