[QUERY] Issue while fetching a new access token using refresh token in a spring boot client

[smitha0202]

Query/Question
I am able to log in and fetch the ID token, Access Token, and refresh token for an application built using the sample below. But, when the access token expires, the spring application sends a new POST request with the refresh token for a new token. This request is failing with the following error :
AADSTS90009: Application 'XXX' is requesting a token for itself. This scenario is supported only if the resource is specified using the GUID-based App Identifier.

For App registration in the Azure AD, I have chosen the application type as web, created a custom scope, and listed this new scope along with OpenID, profile, and offline_access in the client configuration.

Please let me know how to resolve this error

Setup (please complete the following information if applicable):

• OS: Windows/Linux
• IDE: IntelliJ
• Sample Path: aad/spring-security/servlet/oauth2/client-access-resource-server/client/src/main/resources/application.yml and
  -sample Path: (https://github.com/Azure-Samples/azure-spring-boot-samples/tree/spring-cloud-azure_v4.4.1/aad/spring-security/servlet/oauth2/client-access-multiple-resource-server/client)
  /pom.xml
• Library/Libraries: spring-boot-starter-oauth2-client

[Netyyyy]

Hi @smitha0202 , thanks for reaching out.
We have received your submission and will take it into consideration. We appreciate your input and will review this matter as soon as possible.
Please feel free to provide any additional information or context that you think may be helpful. We'll keep you updated on the progress of our review.
Thank you for your contribution to improving our project.

[rpochet]

Hi,

I had the same issue, it seems that the "scope" parameter is missing the refresh_token request. One way yo solve the issue is to redefine a bean of type ReactiveOAuth2AccessTokenResponseClient:

@Bean public ReactiveOAuth2AccessTokenResponseClient<OAuth2RefreshTokenGrantRequest> authorizationCodeAccessTokenResponseClient() { var accessTokenResponseClient = new WebClientReactiveRefreshTokenTokenResponseClient(); accessTokenResponseClient.addParametersConverter(source -> { var parameters = new LinkedMultiValueMap<String, String>(); parameters.set(OAuth2ParameterNames.SCOPE, StringUtils.collectionToDelimitedString(source.getClientRegistration().getScopes(), " ")); return parameters; }); return accessTokenResponseClient; }