Office 365 Callback Fails: Invalid client secret is provided

Technical assistance
1

Infos:

  • Used Zammad version: 4.0
  • Installation method (source, package, …): package
  • Operating system: Centos
  • Browser + version: Chrome 91.0.4472.77, Firefox 88.0.1, Firefox 89.0.0

Expected behavior:

  • Successful O365 Signin and account linking

Actual behavior:

  • Error 422 Unprocessable Entity

I have double checked that I have configured the Azure application with the settings suggested in the documentation and supplied the correct App ID with the created app secret.

I, [2021-06-03T12:00:35.833420 #20439-47404254988300] INFO -- : Started POST "/auth/microsoft_office365" for 10.100.202.7 at 2021-06-03 12:00:35 -0400 I, [2021-06-03T12:00:35.839398 #20439-47404254988300] INFO -- : (microsoft_office365) Request phase initiated. I, [2021-06-03T12:00:36.450865 #20439-47404254989080] INFO -- : Started GET "/auth/microsoft_office365/callback?code=[FILTERED]&state=11ac64aa0986b859a7dd910f070da5f420bc4adec55a46a5&session_state=682adc0f-80c7-4c42-b8c5-e5fa14171318" for 10.100.202.7 at 2021-06-03 12:00:36 -0400 I, [2021-06-03T12:00:36.456889 #20439-47404254989080] INFO -- : (microsoft_office365) Callback phase initiated. E, [2021-06-03T12:00:36.863481 #20439-47404254989080] ERROR -- : (microsoft_office365) Authentication failure! invalid_credentials: OAuth2::Error, invalid_client: AADSTS7000215: Invalid client secret is provided. Trace ID: 5e82a5cf-5300-4b49-83bf-2d7d25518500 Correlation ID: 526a9d94-a7ee-4766-af04-4ce871b7caac Timestamp: 2021-06-03 16:00:36Z {"error":"invalid_client","error_description":"AADSTS7000215: Invalid client secret is provided.\r\nTrace ID: 5e82a5cf-5300-4b49-83bf-2d7d25518500\r\nCorrelation ID: 526a9d94-a7ee-4766-af04-4ce871b7caac\r\nTimestamp: 2021-06-03 16:00:36Z","error_codes":[7000215],"timestamp":"2021-06-03 16:00:36Z","trace_id":"5e82a5cf-5300-4b49-83bf-2d7d25518500","correlation_id":"526a9d94-a7ee-4766-af04-4ce871b7caac","error_uri":"https://login.microsoftonline.com/error?code=7000215"} I, [2021-06-03T12:00:36.911374 #20439-47404260523700] INFO -- : Started GET "/auth/failure?message=invalid_credentials&origin=https%3A%2F%2Fhelpdesk.bowlesrice.com%2F&strategy=microsoft_office365" for 10.100.202.7 at 2021-06-03 12:00:36 -0400 I, [2021-06-03T12:00:36.920266 #20439-47404260523700] INFO -- : Processing by SessionsController#failure_omniauth as HTML I, [2021-06-03T12:00:36.920319 #20439-47404260523700] INFO -- : Parameters: {"message"=>"invalid_credentials", "origin"=>"https://helpdesk.bowlesrice.com/", "strategy"=>"microsoft_office365"} E, [2021-06-03T12:00:36.920829 #20439-47404260523700] ERROR -- : Message from microsoft_office365: invalid_credentials (Exceptions::UnprocessableEntity) /opt/zammad/app/controllers/sessions_controller.rb:109:in failure_omniauth’
/opt/zammad/vendor/bundle/ruby/2.6.0/gems/actionpack-5.2.4.6/lib/action_controller/metal/basic_implicit_render.rb:6:in send_action' /opt/zammad/vendor/bundle/ruby/2.6.0/gems/actionpack-5.2.4.6/lib/abstract_controller/base.rb:194:in process_action’
/opt/zammad/vendor/bundle/ruby/2.6.0/gems/actionpack-5.2.4.6/lib/action_controller/metal/rendering.rb:30:in process_action' /opt/zammad/vendor/bundle/ruby/2.6.0/gems/actionpack-5.2.4.6/lib/abstract_controller/callbacks.rb:42:in block in process_action’
/opt/zammad/vendor/bundle/ruby/2.6.0/gems/activesupport-5.2.4.6/lib/active_support/callbacks.rb:109:in block in run_callbacks' /opt/zammad/app/controllers/application_controller/has_secure_content_security_policy_for_downloads.rb:18:in block (4 levels) in module:HasSecureContentSecurityPolicyForDownloads’
/opt/zammad/vendor/bundle/ruby/2.6.0/gems/activesupport-5.2.4.6/lib/active_support/notifications.rb:180:in subscribed' /opt/zammad/app/controllers/application_controller/has_secure_content_security_policy_for_downloads.rb:17:in block (3 levels) in module:HasSecureContentSecurityPolicyForDownloads’
/opt/zammad/vendor/bundle/ruby/2.6.0/gems/activesupport-5.2.4.6/lib/active_support/notifications.rb:180:in subscribed' /opt/zammad/app/controllers/application_controller/has_secure_content_security_policy_for_downloads.rb:16:in block (2 levels) in module:HasSecureContentSecurityPolicyForDownloads’
/opt/zammad/vendor/bundle/ruby/2.6.0/gems/activesupport-5.2.4.6/lib/active_support/callbacks.rb:118:in instance_exec' /opt/zammad/vendor/bundle/ruby/2.6.0/gems/activesupport-5.2.4.6/lib/active_support/callbacks.rb:118:in block in run_callbacks’
/opt/zammad/app/controllers/application_controller/handles_transitions.rb:14:in handle_transaction' /opt/zammad/vendor/bundle/ruby/2.6.0/gems/activesupport-5.2.4.6/lib/active_support/callbacks.rb:118:in block in run_callbacks’
/opt/zammad/vendor/bundle/ruby/2.6.0/gems/activesupport-5.2.4.6/lib/active_support/callbacks.rb:136:in run_callbacks' /opt/zammad/vendor/bundle/ruby/2.6.0/gems/actionpack-5.2.4.6/lib/abstract_controller/callbacks.rb:41:in process_action’
/opt/zammad/vendor/bundle/ruby/2.6.0/gems/actionpack-5.2.4.6/lib/action_controller/metal/rescue.rb:22:in process_action' /opt/zammad/vendor/bundle/ruby/2.6.0/gems/actionpack-5.2.4.6/lib/action_controller/metal/instrumentation.rb:34:in block in process_action’
/opt/zammad/vendor/bundle/ruby/2.6.0/gems/activesupport-5.2.4.6/lib/active_support/notifications.rb:168:in block in instrument' /opt/zammad/vendor/bundle/ruby/2.6.0/gems/activesupport-5.2.4.6/lib/active_support/notifications/instrumenter.rb:23:in instrument’
/opt/zammad/vendor/bundle/ruby/2.6.0/gems/activesupport-5.2.4.6/lib/active_support/notifications.rb:168:in instrument' /opt/zammad/vendor/bundle/ruby/2.6.0/gems/actionpack-5.2.4.6/lib/action_controller/metal/instrumentation.rb:32:in process_action’
/opt/zammad/vendor/bundle/ruby/2.6.0/gems/actionpack-5.2.4.6/lib/action_controller/metal/params_wrapper.rb:256:in process_action' /opt/zammad/vendor/bundle/ruby/2.6.0/gems/activerecord-5.2.4.6/lib/active_record/railties/controller_runtime.rb:24:in process_action’
/opt/zammad/vendor/bundle/ruby/2.6.0/gems/actionpack-5.2.4.6/lib/abstract_controller/base.rb:134:in process' /opt/zammad/vendor/bundle/ruby/2.6.0/gems/actionview-5.2.4.6/lib/action_view/rendering.rb:32:in process’
/opt/zammad/vendor/bundle/ruby/2.6.0/gems/actionpack-5.2.4.6/lib/action_controller/metal.rb:191:in dispatch' /opt/zammad/vendor/bundle/ruby/2.6.0/gems/actionpack-5.2.4.6/lib/action_controller/metal.rb:252:in dispatch’
/opt/zammad/vendor/bundle/ruby/2.6.0/gems/actionpack-5.2.4.6/lib/action_dispatch/routing/route_set.rb:52:in dispatch' /opt/zammad/vendor/bundle/ruby/2.6.0/gems/actionpack-5.2.4.6/lib/action_dispatch/routing/route_set.rb:34:in serve’
/opt/zammad/vendor/bundle/ruby/2.6.0/gems/actionpack-5.2.4.6/lib/action_dispatch/journey/router.rb:52:in block in serve' /opt/zammad/vendor/bundle/ruby/2.6.0/gems/actionpack-5.2.4.6/lib/action_dispatch/journey/router.rb:35:in each’
/opt/zammad/vendor/bundle/ruby/2.6.0/gems/actionpack-5.2.4.6/lib/action_dispatch/journey/router.rb:35:in serve' /opt/zammad/vendor/bundle/ruby/2.6.0/gems/actionpack-5.2.4.6/lib/action_dispatch/routing/route_set.rb:840:in call’
/opt/zammad/vendor/bundle/ruby/2.6.0/gems/omniauth-1.9.1/lib/omniauth/strategy.rb:420:in call_app!' /opt/zammad/vendor/bundle/ruby/2.6.0/gems/omniauth-saml-1.10.1/lib/omniauth/strategies/saml.rb:89:in other_phase’
/opt/zammad/vendor/bundle/ruby/2.6.0/gems/omniauth-1.9.1/lib/omniauth/strategy.rb:190:in call!' /opt/zammad/vendor/bundle/ruby/2.6.0/gems/omniauth-1.9.1/lib/omniauth/strategy.rb:169:in call’
/opt/zammad/vendor/bundle/ruby/2.6.0/gems/omniauth-1.9.1/lib/omniauth/strategy.rb:192:in call!' /opt/zammad/vendor/bundle/ruby/2.6.0/gems/omniauth-1.9.1/lib/omniauth/strategy.rb:169:in call’
/opt/zammad/vendor/bundle/ruby/2.6.0/gems/omniauth-1.9.1/lib/omniauth/strategy.rb:192:in call!' /opt/zammad/vendor/bundle/ruby/2.6.0/gems/omniauth-1.9.1/lib/omniauth/strategy.rb:169:in call’
/opt/zammad/vendor/bundle/ruby/2.6.0/gems/omniauth-1.9.1/lib/omniauth/strategy.rb:192:in call!' /opt/zammad/vendor/bundle/ruby/2.6.0/gems/omniauth-1.9.1/lib/omniauth/strategy.rb:169:in call’
/opt/zammad/vendor/bundle/ruby/2.6.0/gems/omniauth-1.9.1/lib/omniauth/strategy.rb:192:in call!' /opt/zammad/vendor/bundle/ruby/2.6.0/gems/omniauth-1.9.1/lib/omniauth/strategy.rb:169:in call’
/opt/zammad/vendor/bundle/ruby/2.6.0/gems/omniauth-1.9.1/lib/omniauth/strategy.rb:192:in call!' /opt/zammad/vendor/bundle/ruby/2.6.0/gems/omniauth-1.9.1/lib/omniauth/strategy.rb:169:in call’
/opt/zammad/vendor/bundle/ruby/2.6.0/gems/omniauth-1.9.1/lib/omniauth/strategy.rb:192:in call!' /opt/zammad/vendor/bundle/ruby/2.6.0/gems/omniauth-1.9.1/lib/omniauth/strategy.rb:169:in call’
/opt/zammad/vendor/bundle/ruby/2.6.0/gems/omniauth-1.9.1/lib/omniauth/strategy.rb:192:in call!' /opt/zammad/vendor/bundle/ruby/2.6.0/gems/omniauth-1.9.1/lib/omniauth/strategy.rb:169:in call’
/opt/zammad/vendor/bundle/ruby/2.6.0/gems/omniauth-1.9.1/lib/omniauth/strategy.rb:192:in call!' /opt/zammad/vendor/bundle/ruby/2.6.0/gems/omniauth-1.9.1/lib/omniauth/strategy.rb:169:in call’
/opt/zammad/vendor/bundle/ruby/2.6.0/gems/omniauth-1.9.1/lib/omniauth/builder.rb:45:in call' /opt/zammad/vendor/bundle/ruby/2.6.0/gems/rack-2.2.3/lib/rack/tempfile_reaper.rb:15:in call’
/opt/zammad/vendor/bundle/ruby/2.6.0/gems/rack-2.2.3/lib/rack/etag.rb:27:in call' /opt/zammad/vendor/bundle/ruby/2.6.0/gems/rack-2.2.3/lib/rack/conditional_get.rb:27:in call’
/opt/zammad/vendor/bundle/ruby/2.6.0/gems/rack-2.2.3/lib/rack/head.rb:12:in call' /opt/zammad/vendor/bundle/ruby/2.6.0/gems/actionpack-5.2.4.6/lib/action_dispatch/http/content_security_policy.rb:18:in call’
/opt/zammad/vendor/bundle/ruby/2.6.0/gems/rack-2.2.3/lib/rack/session/abstract/id.rb:266:in context' /opt/zammad/vendor/bundle/ruby/2.6.0/gems/rack-2.2.3/lib/rack/session/abstract/id.rb:260:in call’
/opt/zammad/vendor/bundle/ruby/2.6.0/gems/actionpack-5.2.4.6/lib/action_dispatch/middleware/cookies.rb:670:in call' /opt/zammad/vendor/bundle/ruby/2.6.0/gems/actionpack-5.2.4.6/lib/action_dispatch/middleware/callbacks.rb:28:in block in call’
/opt/zammad/vendor/bundle/ruby/2.6.0/gems/activesupport-5.2.4.6/lib/active_support/callbacks.rb:98:in run_callbacks' /opt/zammad/vendor/bundle/ruby/2.6.0/gems/actionpack-5.2.4.6/lib/action_dispatch/middleware/callbacks.rb:26:in call’
/opt/zammad/vendor/bundle/ruby/2.6.0/gems/actionpack-5.2.4.6/lib/action_dispatch/middleware/debug_exceptions.rb:61:in call' /opt/zammad/vendor/bundle/ruby/2.6.0/gems/actionpack-5.2.4.6/lib/action_dispatch/middleware/show_exceptions.rb:33:in call’
/opt/zammad/vendor/bundle/ruby/2.6.0/gems/railties-5.2.4.6/lib/rails/rack/logger.rb:38:in call_app' /opt/zammad/vendor/bundle/ruby/2.6.0/gems/railties-5.2.4.6/lib/rails/rack/logger.rb:26:in block in call’
/opt/zammad/vendor/bundle/ruby/2.6.0/gems/activesupport-5.2.4.6/lib/active_support/tagged_logging.rb:71:in block in tagged' /opt/zammad/vendor/bundle/ruby/2.6.0/gems/activesupport-5.2.4.6/lib/active_support/tagged_logging.rb:28:in tagged’
/opt/zammad/vendor/bundle/ruby/2.6.0/gems/activesupport-5.2.4.6/lib/active_support/tagged_logging.rb:71:in tagged' /opt/zammad/vendor/bundle/ruby/2.6.0/gems/railties-5.2.4.6/lib/rails/rack/logger.rb:26:in call’
/opt/zammad/vendor/bundle/ruby/2.6.0/gems/actionpack-5.2.4.6/lib/action_dispatch/middleware/remote_ip.rb:81:in call' /opt/zammad/vendor/bundle/ruby/2.6.0/gems/actionpack-5.2.4.6/lib/action_dispatch/middleware/request_id.rb:27:in call’
/opt/zammad/vendor/bundle/ruby/2.6.0/gems/rack-2.2.3/lib/rack/method_override.rb:24:in call' /opt/zammad/vendor/bundle/ruby/2.6.0/gems/rack-2.2.3/lib/rack/runtime.rb:22:in call’
/opt/zammad/vendor/bundle/ruby/2.6.0/gems/activesupport-5.2.4.6/lib/active_support/cache/strategy/local_cache_middleware.rb:29:in call' /opt/zammad/vendor/bundle/ruby/2.6.0/gems/actionpack-5.2.4.6/lib/action_dispatch/middleware/executor.rb:14:in call’
/opt/zammad/vendor/bundle/ruby/2.6.0/gems/actionpack-5.2.4.6/lib/action_dispatch/middleware/static.rb:127:in call' /opt/zammad/vendor/bundle/ruby/2.6.0/gems/rack-2.2.3/lib/rack/sendfile.rb:110:in call’
/opt/zammad/vendor/bundle/ruby/2.6.0/gems/railties-5.2.4.6/lib/rails/engine.rb:524:in call' /opt/zammad/vendor/bundle/ruby/2.6.0/gems/puma-4.3.8/lib/puma/configuration.rb:228:in call’
/opt/zammad/vendor/bundle/ruby/2.6.0/gems/puma-4.3.8/lib/puma/server.rb:718:in handle_request' /opt/zammad/vendor/bundle/ruby/2.6.0/gems/puma-4.3.8/lib/puma/server.rb:472:in process_client’
/opt/zammad/vendor/bundle/ruby/2.6.0/gems/puma-4.3.8/lib/puma/server.rb:328:in block in run' /opt/zammad/vendor/bundle/ruby/2.6.0/gems/puma-4.3.8/lib/puma/thread_pool.rb:134:in block in spawn_thread’
/opt/zammad/vendor/bundle/ruby/2.6.0/gems/logging-2.2.2/lib/logging/diagnostic_context.rb:474:in block in create_with_logging_context' I, [2021-06-03T12:00:36.921341 #20439-47404260523700] INFO -- : Rendering inline template I, [2021-06-03T12:00:36.921958 #20439-47404260523700] INFO -- : Rendered inline template (0.6ms) I, [2021-06-03T12:00:36.922053 #20439-47404260523700] INFO -- : Completed 422 Unprocessable Entity in 2ms (Views: 0.8ms | ActiveRecord: 0.0ms)

Steps to reproduce the behavior:

  • Setup O365 3rd party sign in
  • Attempt to login with O365 button on login page.
2

Not sure why this is failing. All help welcome.

3

I have quadruple checked that I am entering the right application ID, Tennant ID, and secret as well as the call back url. User.Read permissions are granted with Graph and implicit flows are on. I am grasping at straws here. I would open a ticket but they closed it and redirected me here last week. Any thoughts?

4

Microsoft is complaining about indaliv client secret.
If I’d have to guess you didn’t take the secret value but the secret id which won’t work.

Following the documentation one last time may help you:
https://admin-docs.zammad.org/en/latest/channels/microsoft365/accounts/register-app.html

2 Likes
5

This topic was automatically closed 120 days after the last reply. New replies are no longer allowed.