microsoft-authentication-library-for-android: AADSTS9002313: Invalid request. Request is malformed or invalid.

I am getting the following MsalUiRequiredException when calling PublicClientApplication.acquireTokenSilentAsync(scopes, account, callback) after the access token expires.

Scope: "https://<REMOVED>.onmicrosoft.com/security/access.full"

com.microsoft.identity.client.exception.MsalUiRequiredException: AADSTS9002313: Invalid request. Request is malformed or invalid.
Trace ID: <REMOVED>
Correlation ID: <REMOVED>
Timestamp: 2019-04-02 12:27:11Z
    at com.microsoft.identity.client.internal.controllers.LocalMSALController.renewAccessToken(LocalMSALController.java:404)
    at com.microsoft.identity.client.internal.controllers.LocalMSALController.acquireTokenSilent(LocalMSALController.java:307)
    at com.microsoft.identity.client.internal.controllers.MSALTokenCommand.execute(MSALTokenCommand.java:65)
    at com.microsoft.identity.client.internal.controllers.MSALApiDispatcher$2.run(MSALApiDispatcher.java:267)
    at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1167)
    at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:641)
    at java.lang.Thread.run(Thread.java:764)

The following HTTP Request & Response information was taken from a debug session using breakpoints in the OAuth2Strategy class.

HTTP Request Headers:

{client-request-id=<REMOVED>, 
x-client-CPU=arm64-v8a, 
Host=login.windows.net, 
x-client-Ver=0.1.3, 
x-client-DM=ONEPLUS A6013, 
x-client-OS=28, 
x-client-SKU=MSAL.Android}

Url: https://login.windows.net/<REMOVED>/%2FoAuth2%2Fv2.0%2Ftoken Body:

client_id=<REMOVED>&
client_info=1&
grant_type=refresh_token&
redirect_uri=msal<REMOVED>%3A%2F%2Fauth&
refresh_token=<REMOVED>&
scope=https%3A%2F%2F<REMOVED>.onmicrosoft.com%2Fsecurity%2Faccess.full+openid+profile+offline_access

HTTP Response Headers:

{null=[HTTP/1.1 400 Bad Request], 
Cache-Control=[no-cache, no-store], 
client-request-id=[<REMOVE>], 
Connection=[close], 
Content-Length=[418], 
Content-Type=[application/json; charset=utf-8], 
Date=[Tue, 02 Apr 2019 12:27:11 GMT], 
Expires=[-1], P3P=[CP="DSP CUR OTPi IND OTRi ONL FIN"], 
Pragma=[no-cache], 
Set-Cookie=[fpc=<REMOVE>; expires=Thu, 02-May-2019 12:27:11 GMT; path=/; secure; HttpOnly, x-ms-gateway-slice=prod; path=/; secure; HttpOnly, stsservicecookie=ests; 
path=/; secure; HttpOnly], 
Strict-Transport-Security=[max-age=31536000; includeSubDomains], 
X-Android-Received-Millis=[1554208030120], 
X-Android-Response-Source=[NETWORK 400], 
X-Android-Selected-Protocol=[http/1.1], X-Android-Sent-Millis=[1554208030062], X-Content-Type-Options=[nosniff], x-ms-clitelem=[1,9002313,0,,], x-ms-request-id=[<REMOVE>]}

Body:

{"error":"invalid_grant",
"error_description":"AADSTS9002313: Invalid request. Request is malformed or invalid.\r\nTrace ID: <REMOVED>\r\nCorrelation ID: <REMOVED>\r\nTimestamp: 2019-04-02 12:27:11Z",
"error_codes":[9002313],
"timestamp":"2019-04-02 12:27:11Z",
"trace_id":"<REMOVED>",
"correlation_id":"<REMOVED>"}

About this issue

  • Original URL
  • State: closed
  • Created 5 years ago
  • Comments: 21 (8 by maintainers)

Most upvoted comments

The problem ended up being a configuration issue. My PublicClientApplication is configured with a DEFAULT B2C authority. I was then using PublicClientApplication.acquireTokenSilentAsync(scopes, account, callback) to refresh the token. The problem (according to @iambmelt) was that the token refresh was being routed to the AAD STS (Secure Token Service), Azure AD’s token issuer, rather than the B2C STS. The fix was to pass in a null for the authority to let the SDK resolve the token endpoint. I used public void acquireTokenSilentAsync(scopes, account, authority, forceRefresh, callback).

Thanks to @iambmelt for doing the research and providing a fix!

+3
rbiresch on Apr 9, 2019

Hello, we are also seeing a case where we receive this error. Is there any chance we can get insights from the Microsoft/Azure side on what’s causing it? Here are the details:

AADSTS9002313: Invalid request. Request is malformed or invalid.
Trace ID: 1f2ed837-cba0-47d6-8bc6-f3477fb24700
Correlation ID: 205276f8-9ece-4083-b79d-4235d7ff7bf8
Timestamp: 2021-02-02 15:27:32Z

Thank you!

+1
dominicj-nylas on Feb 2, 2021

Can someone help me on this issue I have the same error {u’correlation_id’: u’6678c42e-6935-4f53-86e9-f00f5a31f8c2’, u’error’: u’invalid_grant’, u’error_codes’: [9002313], u’error_description’: u’AADSTS9002313: Invalid request. Request is malformed or invalid.\r\nTrace ID: db3676d4-5d5d-4104-96c9-f3fd92d01300\r\nCorrelation ID: 6678c42e-6935-4f53-86e9-f00f5a31f8c2\r\nTimestamp: 2019-06-04 10:06:54Z’, u’timestamp’: u’2019-06-04 10:06:54Z’, u’trace_id’: u’db3676d4-5d5d-4104-96c9-f3fd92d01300’} And I don’t know how to deal with it.

+1
Michael89 on Jun 4, 2019

@iambmelt I will be sending you an email today with the information requested, thanks!

+1
rbiresch on Apr 4, 2019

Thanks @rbiresch - I’ll follow up on this with our backend team and get back to you.

+1
iambmelt on Apr 2, 2019

@iambmelt here is the Correlation ID: 9fb689af-1006-4957-a0d3-980931252380

+1
rbiresch on Apr 2, 2019
Read more comments on GitHub
← azure-activedirectory-library-for-objc: ADAL is not working for iOS 11.3
microsoft-authentication-library-for-android: AcquireTokenSilentAsync returns "Authority passed to silent parameters does not match with the cloud associated to the account." →