Office 365 Callback Fails: Invalid client secret is provided

Infos:

  • Used Zammad version: 4.0
  • Installation method (source, package, …): package
  • Operating system: Centos
  • Browser + version: Chrome 91.0.4472.77, Firefox 88.0.1, Firefox 89.0.0

Expected behavior:

  • Successful O365 Signin and account linking

Actual behavior:

  • Error 422 Unprocessable Entity

I have double checked that I have configured the Azure application with the settings suggested in the documentation and supplied the correct App ID with the created app secret.

I, [2021-06-03T12:00:35.833420 #20439-47404254988300] INFO -- : Started POST "/auth/microsoft_office365" for 10.100.202.7 at 2021-06-03 12:00:35 -0400 I, [2021-06-03T12:00:35.839398 #20439-47404254988300] INFO -- : (microsoft_office365) Request phase initiated. I, [2021-06-03T12:00:36.450865 #20439-47404254989080] INFO -- : Started GET "/auth/microsoft_office365/callback?code=[FILTERED]&state=11ac64aa0986b859a7dd910f070da5f420bc4adec55a46a5&session_state=682adc0f-80c7-4c42-b8c5-e5fa14171318" for 10.100.202.7 at 2021-06-03 12:00:36 -0400 I, [2021-06-03T12:00:36.456889 #20439-47404254989080] INFO -- : (microsoft_office365) Callback phase initiated. E, [2021-06-03T12:00:36.863481 #20439-47404254989080] ERROR -- : (microsoft_office365) Authentication failure! invalid_credentials: OAuth2::Error, invalid_client: AADSTS7000215: Invalid client secret is provided. Trace ID: 5e82a5cf-5300-4b49-83bf-2d7d25518500 Correlation ID: 526a9d94-a7ee-4766-af04-4ce871b7caac Timestamp: 2021-06-03 16:00:36Z {"error":"invalid_client","error_description":"AADSTS7000215: Invalid client secret is provided.\r\nTrace ID: 5e82a5cf-5300-4b49-83bf-2d7d25518500\r\nCorrelation ID: 526a9d94-a7ee-4766-af04-4ce871b7caac\r\nTimestamp: 2021-06-03 16:00:36Z","error_codes":[7000215],"timestamp":"2021-06-03 16:00:36Z","trace_id":"5e82a5cf-5300-4b49-83bf-2d7d25518500","correlation_id":"526a9d94-a7ee-4766-af04-4ce871b7caac","error_uri":"https://login.microsoftonline.com/error?code=7000215"} I, [2021-06-03T12:00:36.911374 #20439-47404260523700] INFO -- : Started GET "/auth/failure?message=invalid_credentials&origin=https%3A%2F%2Fhelpdesk.bowlesrice.com%2F&strategy=microsoft_office365" for 10.100.202.7 at 2021-06-03 12:00:36 -0400 I, [2021-06-03T12:00:36.920266 #20439-47404260523700] INFO -- : Processing by SessionsController#failure_omniauth as HTML I, [2021-06-03T12:00:36.920319 #20439-47404260523700] INFO -- : Parameters: {"message"=>"invalid_credentials", "origin"=>"https://helpdesk.bowlesrice.com/", "strategy"=>"microsoft_office365"} E, [2021-06-03T12:00:36.920829 #20439-47404260523700] ERROR -- : Message from microsoft_office365: invalid_credentials (Exceptions::UnprocessableEntity) /opt/zammad/app/controllers/sessions_controller.rb:109:in failure_omniauth’
/opt/zammad/vendor/bundle/ruby/2.6.0/gems/actionpack-5.2.4.6/lib/action_controller/metal/basic_implicit_render.rb:6:in send_action' /opt/zammad/vendor/bundle/ruby/2.6.0/gems/actionpack-5.2.4.6/lib/abstract_controller/base.rb:194:in process_action’
/opt/zammad/vendor/bundle/ruby/2.6.0/gems/actionpack-5.2.4.6/lib/action_controller/metal/rendering.rb:30:in process_action' /opt/zammad/vendor/bundle/ruby/2.6.0/gems/actionpack-5.2.4.6/lib/abstract_controller/callbacks.rb:42:in block in process_action’
/opt/zammad/vendor/bundle/ruby/2.6.0/gems/activesupport-5.2.4.6/lib/active_support/callbacks.rb:109:in block in run_callbacks' /opt/zammad/app/controllers/application_controller/has_secure_content_security_policy_for_downloads.rb:18:in block (4 levels) in module:HasSecureContentSecurityPolicyForDownloads’
/opt/zammad/vendor/bundle/ruby/2.6.0/gems/activesupport-5.2.4.6/lib/active_support/notifications.rb:180:in subscribed' /opt/zammad/app/controllers/application_controller/has_secure_content_security_policy_for_downloads.rb:17:in block (3 levels) in module:HasSecureContentSecurityPolicyForDownloads’
/opt/zammad/vendor/bundle/ruby/2.6.0/gems/activesupport-5.2.4.6/lib/active_support/notifications.rb:180:in subscribed' /opt/zammad/app/controllers/application_controller/has_secure_content_security_policy_for_downloads.rb:16:in block (2 levels) in module:HasSecureContentSecurityPolicyForDownloads’
/opt/zammad/vendor/bundle/ruby/2.6.0/gems/activesupport-5.2.4.6/lib/active_support/callbacks.rb:118:in instance_exec' /opt/zammad/vendor/bundle/ruby/2.6.0/gems/activesupport-5.2.4.6/lib/active_support/callbacks.rb:118:in block in run_callbacks’
/opt/zammad/app/controllers/application_controller/handles_transitions.rb:14:in handle_transaction' /opt/zammad/vendor/bundle/ruby/2.6.0/gems/activesupport-5.2.4.6/lib/active_support/callbacks.rb:118:in block in run_callbacks’
/opt/zammad/vendor/bundle/ruby/2.6.0/gems/activesupport-5.2.4.6/lib/active_support/callbacks.rb:136:in run_callbacks' /opt/zammad/vendor/bundle/ruby/2.6.0/gems/actionpack-5.2.4.6/lib/abstract_controller/callbacks.rb:41:in process_action’
/opt/zammad/vendor/bundle/ruby/2.6.0/gems/actionpack-5.2.4.6/lib/action_controller/metal/rescue.rb:22:in process_action' /opt/zammad/vendor/bundle/ruby/2.6.0/gems/actionpack-5.2.4.6/lib/action_controller/metal/instrumentation.rb:34:in block in process_action’
/opt/zammad/vendor/bundle/ruby/2.6.0/gems/activesupport-5.2.4.6/lib/active_support/notifications.rb:168:in block in instrument' /opt/zammad/vendor/bundle/ruby/2.6.0/gems/activesupport-5.2.4.6/lib/active_support/notifications/instrumenter.rb:23:in instrument’
/opt/zammad/vendor/bundle/ruby/2.6.0/gems/activesupport-5.2.4.6/lib/active_support/notifications.rb:168:in instrument' /opt/zammad/vendor/bundle/ruby/2.6.0/gems/actionpack-5.2.4.6/lib/action_controller/metal/instrumentation.rb:32:in process_action’
/opt/zammad/vendor/bundle/ruby/2.6.0/gems/actionpack-5.2.4.6/lib/action_controller/metal/params_wrapper.rb:256:in process_action' /opt/zammad/vendor/bundle/ruby/2.6.0/gems/activerecord-5.2.4.6/lib/active_record/railties/controller_runtime.rb:24:in process_action’
/opt/zammad/vendor/bundle/ruby/2.6.0/gems/actionpack-5.2.4.6/lib/abstract_controller/base.rb:134:in process' /opt/zammad/vendor/bundle/ruby/2.6.0/gems/actionview-5.2.4.6/lib/action_view/rendering.rb:32:in process’
/opt/zammad/vendor/bundle/ruby/2.6.0/gems/actionpack-5.2.4.6/lib/action_controller/metal.rb:191:in dispatch' /opt/zammad/vendor/bundle/ruby/2.6.0/gems/actionpack-5.2.4.6/lib/action_controller/metal.rb:252:in dispatch’
/opt/zammad/vendor/bundle/ruby/2.6.0/gems/actionpack-5.2.4.6/lib/action_dispatch/routing/route_set.rb:52:in dispatch' /opt/zammad/vendor/bundle/ruby/2.6.0/gems/actionpack-5.2.4.6/lib/action_dispatch/routing/route_set.rb:34:in serve’
/opt/zammad/vendor/bundle/ruby/2.6.0/gems/actionpack-5.2.4.6/lib/action_dispatch/journey/router.rb:52:in block in serve' /opt/zammad/vendor/bundle/ruby/2.6.0/gems/actionpack-5.2.4.6/lib/action_dispatch/journey/router.rb:35:in each’
/opt/zammad/vendor/bundle/ruby/2.6.0/gems/actionpack-5.2.4.6/lib/action_dispatch/journey/router.rb:35:in serve' /opt/zammad/vendor/bundle/ruby/2.6.0/gems/actionpack-5.2.4.6/lib/action_dispatch/routing/route_set.rb:840:in call’
/opt/zammad/vendor/bundle/ruby/2.6.0/gems/omniauth-1.9.1/lib/omniauth/strategy.rb:420:in call_app!' /opt/zammad/vendor/bundle/ruby/2.6.0/gems/omniauth-saml-1.10.1/lib/omniauth/strategies/saml.rb:89:in other_phase’
/opt/zammad/vendor/bundle/ruby/2.6.0/gems/omniauth-1.9.1/lib/omniauth/strategy.rb:190:in call!' /opt/zammad/vendor/bundle/ruby/2.6.0/gems/omniauth-1.9.1/lib/omniauth/strategy.rb:169:in call’
/opt/zammad/vendor/bundle/ruby/2.6.0/gems/omniauth-1.9.1/lib/omniauth/strategy.rb:192:in call!' /opt/zammad/vendor/bundle/ruby/2.6.0/gems/omniauth-1.9.1/lib/omniauth/strategy.rb:169:in call’
/opt/zammad/vendor/bundle/ruby/2.6.0/gems/omniauth-1.9.1/lib/omniauth/strategy.rb:192:in call!' /opt/zammad/vendor/bundle/ruby/2.6.0/gems/omniauth-1.9.1/lib/omniauth/strategy.rb:169:in call’
/opt/zammad/vendor/bundle/ruby/2.6.0/gems/omniauth-1.9.1/lib/omniauth/strategy.rb:192:in call!' /opt/zammad/vendor/bundle/ruby/2.6.0/gems/omniauth-1.9.1/lib/omniauth/strategy.rb:169:in call’
/opt/zammad/vendor/bundle/ruby/2.6.0/gems/omniauth-1.9.1/lib/omniauth/strategy.rb:192:in call!' /opt/zammad/vendor/bundle/ruby/2.6.0/gems/omniauth-1.9.1/lib/omniauth/strategy.rb:169:in call’
/opt/zammad/vendor/bundle/ruby/2.6.0/gems/omniauth-1.9.1/lib/omniauth/strategy.rb:192:in call!' /opt/zammad/vendor/bundle/ruby/2.6.0/gems/omniauth-1.9.1/lib/omniauth/strategy.rb:169:in call’
/opt/zammad/vendor/bundle/ruby/2.6.0/gems/omniauth-1.9.1/lib/omniauth/strategy.rb:192:in call!' /opt/zammad/vendor/bundle/ruby/2.6.0/gems/omniauth-1.9.1/lib/omniauth/strategy.rb:169:in call’
/opt/zammad/vendor/bundle/ruby/2.6.0/gems/omniauth-1.9.1/lib/omniauth/strategy.rb:192:in call!' /opt/zammad/vendor/bundle/ruby/2.6.0/gems/omniauth-1.9.1/lib/omniauth/strategy.rb:169:in call’
/opt/zammad/vendor/bundle/ruby/2.6.0/gems/omniauth-1.9.1/lib/omniauth/strategy.rb:192:in call!' /opt/zammad/vendor/bundle/ruby/2.6.0/gems/omniauth-1.9.1/lib/omniauth/strategy.rb:169:in call’
/opt/zammad/vendor/bundle/ruby/2.6.0/gems/omniauth-1.9.1/lib/omniauth/builder.rb:45:in call' /opt/zammad/vendor/bundle/ruby/2.6.0/gems/rack-2.2.3/lib/rack/tempfile_reaper.rb:15:in call’
/opt/zammad/vendor/bundle/ruby/2.6.0/gems/rack-2.2.3/lib/rack/etag.rb:27:in call' /opt/zammad/vendor/bundle/ruby/2.6.0/gems/rack-2.2.3/lib/rack/conditional_get.rb:27:in call’
/opt/zammad/vendor/bundle/ruby/2.6.0/gems/rack-2.2.3/lib/rack/head.rb:12:in call' /opt/zammad/vendor/bundle/ruby/2.6.0/gems/actionpack-5.2.4.6/lib/action_dispatch/http/content_security_policy.rb:18:in call’
/opt/zammad/vendor/bundle/ruby/2.6.0/gems/rack-2.2.3/lib/rack/session/abstract/id.rb:266:in context' /opt/zammad/vendor/bundle/ruby/2.6.0/gems/rack-2.2.3/lib/rack/session/abstract/id.rb:260:in call’
/opt/zammad/vendor/bundle/ruby/2.6.0/gems/actionpack-5.2.4.6/lib/action_dispatch/middleware/cookies.rb:670:in call' /opt/zammad/vendor/bundle/ruby/2.6.0/gems/actionpack-5.2.4.6/lib/action_dispatch/middleware/callbacks.rb:28:in block in call’
/opt/zammad/vendor/bundle/ruby/2.6.0/gems/activesupport-5.2.4.6/lib/active_support/callbacks.rb:98:in run_callbacks' /opt/zammad/vendor/bundle/ruby/2.6.0/gems/actionpack-5.2.4.6/lib/action_dispatch/middleware/callbacks.rb:26:in call’
/opt/zammad/vendor/bundle/ruby/2.6.0/gems/actionpack-5.2.4.6/lib/action_dispatch/middleware/debug_exceptions.rb:61:in call' /opt/zammad/vendor/bundle/ruby/2.6.0/gems/actionpack-5.2.4.6/lib/action_dispatch/middleware/show_exceptions.rb:33:in call’
/opt/zammad/vendor/bundle/ruby/2.6.0/gems/railties-5.2.4.6/lib/rails/rack/logger.rb:38:in call_app' /opt/zammad/vendor/bundle/ruby/2.6.0/gems/railties-5.2.4.6/lib/rails/rack/logger.rb:26:in block in call’
/opt/zammad/vendor/bundle/ruby/2.6.0/gems/activesupport-5.2.4.6/lib/active_support/tagged_logging.rb:71:in block in tagged' /opt/zammad/vendor/bundle/ruby/2.6.0/gems/activesupport-5.2.4.6/lib/active_support/tagged_logging.rb:28:in tagged’
/opt/zammad/vendor/bundle/ruby/2.6.0/gems/activesupport-5.2.4.6/lib/active_support/tagged_logging.rb:71:in tagged' /opt/zammad/vendor/bundle/ruby/2.6.0/gems/railties-5.2.4.6/lib/rails/rack/logger.rb:26:in call’
/opt/zammad/vendor/bundle/ruby/2.6.0/gems/actionpack-5.2.4.6/lib/action_dispatch/middleware/remote_ip.rb:81:in call' /opt/zammad/vendor/bundle/ruby/2.6.0/gems/actionpack-5.2.4.6/lib/action_dispatch/middleware/request_id.rb:27:in call’
/opt/zammad/vendor/bundle/ruby/2.6.0/gems/rack-2.2.3/lib/rack/method_override.rb:24:in call' /opt/zammad/vendor/bundle/ruby/2.6.0/gems/rack-2.2.3/lib/rack/runtime.rb:22:in call’
/opt/zammad/vendor/bundle/ruby/2.6.0/gems/activesupport-5.2.4.6/lib/active_support/cache/strategy/local_cache_middleware.rb:29:in call' /opt/zammad/vendor/bundle/ruby/2.6.0/gems/actionpack-5.2.4.6/lib/action_dispatch/middleware/executor.rb:14:in call’
/opt/zammad/vendor/bundle/ruby/2.6.0/gems/actionpack-5.2.4.6/lib/action_dispatch/middleware/static.rb:127:in call' /opt/zammad/vendor/bundle/ruby/2.6.0/gems/rack-2.2.3/lib/rack/sendfile.rb:110:in call’
/opt/zammad/vendor/bundle/ruby/2.6.0/gems/railties-5.2.4.6/lib/rails/engine.rb:524:in call' /opt/zammad/vendor/bundle/ruby/2.6.0/gems/puma-4.3.8/lib/puma/configuration.rb:228:in call’
/opt/zammad/vendor/bundle/ruby/2.6.0/gems/puma-4.3.8/lib/puma/server.rb:718:in handle_request' /opt/zammad/vendor/bundle/ruby/2.6.0/gems/puma-4.3.8/lib/puma/server.rb:472:in process_client’
/opt/zammad/vendor/bundle/ruby/2.6.0/gems/puma-4.3.8/lib/puma/server.rb:328:in block in run' /opt/zammad/vendor/bundle/ruby/2.6.0/gems/puma-4.3.8/lib/puma/thread_pool.rb:134:in block in spawn_thread’
/opt/zammad/vendor/bundle/ruby/2.6.0/gems/logging-2.2.2/lib/logging/diagnostic_context.rb:474:in block in create_with_logging_context' I, [2021-06-03T12:00:36.921341 #20439-47404260523700] INFO -- : Rendering inline template I, [2021-06-03T12:00:36.921958 #20439-47404260523700] INFO -- : Rendered inline template (0.6ms) I, [2021-06-03T12:00:36.922053 #20439-47404260523700] INFO -- : Completed 422 Unprocessable Entity in 2ms (Views: 0.8ms | ActiveRecord: 0.0ms)

Steps to reproduce the behavior:

  • Setup O365 3rd party sign in
  • Attempt to login with O365 button on login page.

Not sure why this is failing. All help welcome.

I have quadruple checked that I am entering the right application ID, Tennant ID, and secret as well as the call back url. User.Read permissions are granted with Graph and implicit flows are on. I am grasping at straws here. I would open a ticket but they closed it and redirected me here last week. Any thoughts?