Error: Clients must send a client_secret... RRS feed

  • Question

  • I have an iOS mobile app that's been authorizing to Azure for a couple years with no problems. All of a sudden I'm getting a 400 error: {"error":"invalid_request","error_description":"AADB2C90079: Clients must send a client_secret when redeeming a confidential grant.\r\nCorrelation ID: 425f0e65-3940-4f75-af8b-a5648339e21d\r\nTimestamp: 2019-04-04 19:00:28Z\r\n"}

    This is happening when sending a POST to


    after getting a valid code. The docs make it clear that mobile clients do not send a client_secret. The fields I am sending are grant_type, client_id, redirect_uri and code. 

    AFAIK, nothing has changed on my side. The error is intermittent.

    Has something changed on Azure in the way this is supposed to work? Any other idea what's changed?

    • Edited by BrianS99 Thursday, April 4, 2019 7:25 PM
    Thursday, April 4, 2019 7:19 PM

All replies

  • Hi BrianSS9,

    Thanks for raising this issue. I am investigating this and will update you.

    Friday, April 5, 2019 3:03 PM
  • Thanks for the question! You can try to open App Registration under Azure Active Directory, go to the app registration used by your mobile app, open Settings>Keys and check if the "Password" currently used expired. If so, then you will have to create a new password and update your backend to use it.

    If you are using the "Authentication/Authorization" feature of App Services, the change needs to be made under this blade or via Azure Resource Explorer.

    Monday, April 8, 2019 7:36 AM