VSO OAuth - Invalid client auth token RRS feed

  • Question

  • Hi,

    The problem

    I am trying to get an access token using the auth flow documented at:


    But I am getting an "Invalid client auth token" response when POSTing the authorization token to VSO.

    Steps followed

    Registered the application - ok

    I have registered my app on the Visual Studio portal and got the related clientid and appsecret.

    Retrieving the authorization code - ok

    The first step of the flow works well, i.e., I am able to do a GET https://app.vssps.visualstudio.com/oauth2/authorize/...

    This step is showing me the VSO "Authorize Application" page for the requested scope.

    After I click on "Authorize", VSO is redirecting to my callback uri, with the authorization code.

    Retrieving the access code - not ok

    Using this authorization code, I am creating a POST request, like:

    POST https://app.vssps.visualstudio.com/oauth2/token ?client_assertion_type=urn:ietf:params:oauth:client-assertion-type:jwt-bearer &client_assertion=my_app_secret &grant_type=urn:ietf:params:oauth:grant-type:jwt-bearer &assertion=the_auhtorization_code_returned_by_vso &redirect_uri=the_same_uri_as_the_previous_step

    I am also setting the POST reques content-type to

    Content-type: application/x-www-form-urlencoded

    When the POST is executed, instead of getting the access code, I am getting the following error:

    {"Error":"invalid_client","ErrorDescription":"Invalid client auth token."} 

    The server side code to create the POST request is:

                var client = new HttpClient();

                var postUrl = @"https://app.vssps.visualstudio.com/oauth2/token"
                    + "?client_assertion_type=urn:ietf:params:oauth:client-assertion-type:jwt-bearer"
                    + "&client_assertion=" + appSecret
                    + "&grant_type=urn:ietf:params:oauth:grant-type:jwt-bearer"
                    + "&assertion=" + code
                    + "&redirect_uri=" + returnUri;

                var request = new HttpRequestMessage()
                    RequestUri = new Uri(postUrl),
                    Method = HttpMethod.Post,

                request.Content = new StringContent(string.Empty, Encoding.UTF8, "application/x-www-form-urlencoded");

                HttpResponseMessage response = await client.SendAsync(request);

    Where appSecret was retrieved from the VSO Application Settings page, and code was provided by the VSO response to my authorization request.

    I have checked the POST request with FIDDLER, and everything seems ok (i.e., the content-type is set and the url contains all the parameters according to the documentation).

    Can someone tell me what am I doing wrong?

    Saturday, July 18, 2015 2:12 PM


All replies