Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

New-PartnerAccessToken returns error AADSTS50011 when -UseAuthorizationCode is used

See original GitHub issue

Steps to reproduce

What steps can reproduce the defect? Please share the setup, commandline for vstest.console, sample project, target framework etc.

When using the below command with application that was created from the guidance on v1.5 module we get the error below in the browser after authentication.

$t=New-PartnerAccessToken -ApplicationId '<app id>' -Credential (Get-Credential) -Scopes 'https://api.partnercenter.microsoft.com/user_impersonation' -ServicePrincipal -Tenant '<tenant id>' -UseAuthorizationCode

AADSTS50011: The reply url specified in the request does not match the reply urls configured for the application:

Seems the problem is that this new v2. module requires that the application has https://localhost as reply url in the app where in previous version the guidance was that the app should be created with urn:ietf:wg:oauth:2.0:oob reply url. The module should allow for both or does not require the reply url value at all.

Expected behavior

Share the expected output

Authtenticate

Actual behavior

What is the behavior observed?

AAD error.

Diagnostic logs

Please share test platform diagnostics logs.
The logs may contain test assembly paths, kindly review and mask those before sharing.

Environment

Please share additional details about your environment. Version

PS 5.1 and PS 6.2.3

Issue Analytics

State:
Created 4 years ago
Comments:15 (7 by maintainers)

Top GitHub Comments

2reactions

ghostcommented, Sep 25, 2019

@cblackuk and @slavizh this is the expected behavior with the 2.0 release. Thank you for pointing out this breaking change is not included in the breaking changes documentation. I will work on getting that fixed shortly. The reason for this change is that PowerShell Core does not support the Windows form approach that was used in the past. To ensure that the New-PartnerAccessToken command could function identically between PowerShell 5.1 and PowerShell Core this change was required. You can learn about the expected configurations here.

Please let us know if you have any questions.

1reaction

dkattancommented, Jan 2, 2020

For anyone still struggling with this, the solution for me was to manipulate the app registration with the following:

"replyUrlsWithType": [
		{
			"url": "urn:ietf:wg:oauth:2.0:oob",
			"type": "Web"
		},
        {
            "url": "http://localhost:8400",
            "type": "Web"
        }
	],