I am getting an error that OAuth2 Code has already been redeemed

Question

def get_access_token(authorization_code):
        
    token_url = "https://login.microsoftonline.com/xxxx-xxxx-xxxx-xxxx-xxxxcxxxxe/oauth2/v2.0/token" 
    redirect_uri = "https://localhost/api/oauth2/callback" 
    client_id = "xxxxxx-xxx-xxxx-xxx-xxxxxx"
    client_secret = "xxxx~xxxxx~xxxx_xxxxxxxxx"
    scope = "https://graph.microsoft.com/.default"


    headers = {'Content-Type' : 'application/x-www-form-urlencoded'}
    token_data = {
        'grant_type': 'client_credentials',
        'code': authorization_code,
        'redirect_uri': redirect_uri,
        'client_id': client_id,
        'client_secret': client_secret,
        'scope': scope,
        }

    response = requests.post(token_url, headers = headers, data=token_data)
    token_json = response.json()

    if 'access_token' in token_json:
        return token_json['access_token']
    else:
        raise Exception(f"Error fetching access token: {token_json.get('error_description', 'Unknown error')}")

I can't find any user information within the bearer that Microsoft provides. The token end point seems to be correct and I get all the user info within Microsoft Graph Explorer but can't on my django app.

Edit:

Changing Grant type to 'authorization_code' gives me error that OAuth2 was already redeemed. I am using Django Auth ADFS library within my Djano App where I think the code is already been redeemed. I cannot directly make changes within the Library. Is there any other way to get the OAuth2 Code?

Answer 1

The error is because you are making use of Authorization code flow but passing parameter value as client credentials for grant_type.

Initially, I registered Microsoft Entra ID Application in B2C tenant:

Granted Delegated type User.Read.All API permission:

To resolve the error modify code l:

import requests

def get_access_token(authorization_code):
    # Replace these with your actual values
    tenant_id = "<tenant_id>"  # Update this with your actual tenant ID
    token_url = f"https://login.microsoftonline.com/{tenant_id}/oauth2/v2.0/token"
    redirect_uri = "http://localhost:5000"  # This must match the redirect URI configured in your app registration
    client_id = "<client_id>"  # Your app's client ID
    client_secret = "<client_secret>"  # Your app's client secret
    scope = "https://graph.microsoft.com/.default"  # The scope for your request

    # Set up the headers and body for the token request
    headers = {'Content-Type': 'application/x-www-form-urlencoded'}
    token_data = {
        'grant_type': 'authorization_code',  # Use authorization_code for this flow
        'code': authorization_code,  # The authorization code received from the redirect
        'redirect_uri': redirect_uri,  # Redirect URI must match the one configured in your app
        'client_id': client_id,  # The app's client ID
        'client_secret': client_secret,  # The app's client secret
        'scope': scope,  # Scopes you want to request
    }

    # Make the POST request to get the token
    response = requests.post(token_url, headers=headers, data=token_data)
    
    # Parse the response and check for errors
    token_json = response.json()

    # Check if the access token was successfully obtained
    if 'access_token' in token_json:
        return token_json['access_token']
    else:
        error_message = token_json.get('error_description', 'Unknown error')
        raise Exception(f"Error fetching access token: {error_message}")

def get_users(access_token):
    # Initial URL for fetching users from Microsoft Graph API
    graph_url = "https://graph.microsoft.com/v1.0/users"
    headers = {"Authorization": f"Bearer {access_token}"}
    
    users = []
    
    while graph_url:
        response = requests.get(graph_url, headers=headers)
        if response.status_code == 200:
            data = response.json()
            users.extend(data.get("value", []))  # Add the current batch of users
            graph_url = data.get("@odata.nextLink")  # Get the next page link, if it exists
        else:
            raise Exception(f"Error fetching users: {response.status_code} - {response.text}")
    
    return users

def print_users(users):
    # Print user details in a formatted table
    print(f"{'Display Name':<30} {'ID':<40} {'Email':<40}")
    print("-" * 110)
    
    for user in users:
        display_name = user.get("displayName") or "N/A"  # Safely handle None values
        user_id = user.get("id") or "N/A"  # Safely handle None values
        email = user.get("mail") or "N/A"  # Safely handle None values
        print(f"{display_name:<30} {user_id:<40} {email:<40}")

# Example usage
authorization_code = input("Enter the authorization code: ")
try:
    # Step 1: Get the access token
    access_token = get_access_token(authorization_code)
    print("Access token :", access_token)

    # Step 2: Get the list of users using the access token
    users = get_users(access_token)

    # Step 3: Print the users with displayName, id, and mail
    print_users(users)
except Exception as e:
    print(e)

To get code, I ran below authorization request in browser:

https://login.microsoftonline.com/<b2c_tenant_id>/oauth2/v2.0/authorize? 
&client_id=<app_id>
&client_secret = <client_secret>
&redirect_uri= http://localhost:5000
&response_type=code  
&response_mode=query  
&scope= https://graph.microsoft.com/.default

Response: