Partner-Center-PowerShell: New-PartnerAccessToken returns error AADSTS50011 when -UseAuthorizationCode is used

Steps to reproduce

What steps can reproduce the defect? Please share the setup, commandline for vstest.console, sample project, target framework etc.

When using the below command with application that was created from the guidance on v1.5 module we get the error below in the browser after authentication.

$t=New-PartnerAccessToken -ApplicationId '<app id>' -Credential (Get-Credential) -Scopes 'https://api.partnercenter.microsoft.com/user_impersonation' -ServicePrincipal -Tenant '<tenant id>' -UseAuthorizationCode

AADSTS50011: The reply url specified in the request does not match the reply urls configured for the application:

Seems the problem is that this new v2. module requires that the application has https://localhost as reply url in the app where in previous version the guidance was that the app should be created with urn:ietf:wg:oauth:2.0:oob reply url. The module should allow for both or does not require the reply url value at all.

Expected behavior

Share the expected output

Authtenticate

Actual behavior

What is the behavior observed?

AAD error.

Diagnostic logs

Please share test platform diagnostics logs.
The logs may contain test assembly paths, kindly review and mask those before sharing.

Environment

Please share additional details about your environment. Version

PS 5.1 and PS 6.2.3

About this issue

Original URL
State: closed
Created 5 years ago
Comments: 15 (7 by maintainers)

Most upvoted comments

@cblackuk and @slavizh this is the expected behavior with the 2.0 release. Thank you for pointing out this breaking change is not included in the breaking changes documentation. I will work on getting that fixed shortly. The reason for this change is that PowerShell Core does not support the Windows form approach that was used in the past. To ensure that the New-PartnerAccessToken command could function identically between PowerShell 5.1 and PowerShell Core this change was required. You can learn about the expected configurations here.

Please let us know if you have any questions.

ghost on Sep 25, 2019

For anyone still struggling with this, the solution for me was to manipulate the app registration with the following:

"replyUrlsWithType": [
		{
			"url": "urn:ietf:wg:oauth:2.0:oob",
			"type": "Web"
		},
        {
            "url": "http://localhost:8400",
            "type": "Web"
        }
	],

dkattan on Jan 2, 2020

@cblackuk yes works if both are added.

slavizh on Sep 23, 2019

In any case you should allow interrupting the process with ctrl +c and having some default timeout if authentication is not done. I think that is present in Az module if I remember correctly.

slavizh on Sep 21, 2019

@isaiahwilliams This issue is still present with the latest version (.5) let us know if will the new guidance will be to include https://localhost in reply URLs of the AAD app? Also if that is the case should we remove urn:ietf:wg:oauth:2.0:oob or it should stay?

slavizh on Sep 21, 2019

@isaiahwilliams Several days have passed and the only update was merged that didn’t fixed the issue. Is the issue is investigated? Do we need to provide more information? When we can expect a fix?

slavizh on Sep 20, 2019

Yes. Especially that it was not documented that is breaking change.

slavizh on Sep 18, 2019

@isaiahwilliams by the look of the merge request seems we will have to update our apps rather the code being changed, correct?

slavizh on Sep 18, 2019

The code that was merged but not yet published “might” fix the refresh token but it will not fix this issue IMHO, but I guess we will have to test it.

@slavizh @isaiahwilliams

https://github.com/microsoft/Partner-Center-PowerShell/blob/7dc27f079706af122a9d2ce44c075b68c65cf553/src/PowerShell/Authenticators/InteractiveUserAuthenticator.cs#L47

This needs changing as @slavizh said earlier.

It has got to be this urn:ietf:wg:oauth:2.0:oob

cblackuk on Sep 17, 2019