InternalOAuthError: Failed to obtain access token

My version of HedgeDoc is: 1.8.2

What I expected to happen:

Successfully login with OAuth2

What actually happened:

Client receives reply:

Internal Server Error

Server shows in the logs:

InternalOAuthError: Failed to obtain access token
    at OAuth2CustomStrategy.OAuth2Strategy._createOAuthError (/hedgedoc/node_modules/passport-oauth2/lib/strategy.js:408:17)
    at /hedgedoc/node_modules/passport-oauth2/lib/strategy.js:175:45
    at /hedgedoc/node_modules/oauth/lib/oauth2.js:191:18
    at passBackControl (/hedgedoc/node_modules/oauth/lib/oauth2.js:132:9)
    at IncomingMessage.<anonymous> (/hedgedoc/node_modules/oauth/lib/oauth2.js:157:7)
    at IncomingMessage.emit (events.js:326:22)
    at endReadableNT (_stream_readable.js:1241:12)
    at processTicksAndRejections (internal/process/task_queues.js:84:21)

I already tried:

I confirmed that the application is registered in our Azure Active Directory. The TLS certificate of the installation is valid. The callback URL is correct, because otherwise we wouldn’t get to this stage of the login procedure.

Here is how my relevant configuration looks like:


    "CMD_ALLOW_ANONYMOUS"                       = false
    "CMD_EMAIL"                                 = false
    "CMD_ALLOW_EMAIL_REGISTER"                  = false
    "CMD_OAUTH2_CLIENT_ID"                      = var.oauth2_client_id
    "CMD_OAUTH2_CLIENT_SECRET"                  = var.oauth2_client_secret
    "CMD_OAUTH2_AUTHORIZATION_URL"              = "https://login.microsoftonline.com/${var.tenant_id}/oauth2/authorize"
    "CMD_OAUTH2_TOKEN_URL"                      = "https://login.microsoftonline.com/${var.tenant_id}/oauth2/api/v1/token"
    "CMD_OAUTH2_USER_PROFILE_URL"               = "https://graph.microsoft.com/oidc/userinfo"
    "CMD_OAUTH2_USER_PROFILE_USERNAME_ATTR"     = "email"
    "CMD_OAUTH2_USER_PROFILE_DISPLAY_NAME_ATTR" = "name"
    "CMD_OAUTH2_USER_PROFILE_EMAIL_ATTR"        = "email"

Unfortunately, the error message “Failed to obtain access token” is not specific enough for me to have an idea how to proceed.

Any help would be greatly appreciated. Thanks!

I found that the configuration is not exactly right for the Azure API as of today.

    "CMD_OAUTH2_AUTHORIZATION_URL"              = "https://login.microsoftonline.com/${var.tenant_id}/oauth2/v2.0/authorize"
    "CMD_OAUTH2_TOKEN_URL"                      = "https://login.microsoftonline.com/${var.tenant_id}/oauth2/v2.0/token"
    "CMD_OAUTH2_SCOPE"                          = "openid email profile"

Note the ‘v2.0’ in the updated URL and the additional scope setting.

1 Like