Authorization Endpoint Errors

 

This topic explains how to interpret and respond to errors that originate at the Azure AD authorization endpoint.

Errors that occurs at the Azure authorization endpoint are returned in two different ways. When the error is displayed on a web page, it uses an HTTP 200 status code. When a client application is available to handle the error, the endpoint uses an HTTP 302 redirect status code.

Here is a sample HTTP 302 error response from the Azure AD authorization when an authorization code request is missing the required response_type parameter.

GET  HTTP/1.1 302 Found
Location: https://localhost/myapp/?error=invalid_request&error_description=AADSTS90014%3a+The+request+body+must+contain+the+following+parameter%3a+%27response_type%27.%0d%0aTrace+ID%3a+57f5cb47-2278-4802-a018-d05d9145daad%0d%0aCorrelation+ID%3a+570a9ed3-bf1d-40d1-81ae-63465cc25488%0d%0aTimestamp%3a+2013-12-31+05%3a51%3a35Z&state=D79E5777-702E-4260-9A62-37F75FF22CCE

Error Response Parameters

Client-handled error responses includes the following parameters.

Parameter

Description

error

An error code value defined in Section 5.2 of the OAuth 2.0 Authorization Framework. The next table describes the error codes that Azure AD returns.

error_description

A more detailed description of the error. This message is not intended to be end-user friendly.

state

Returns the state value from the request, if the request includes a state value.

The state value is a randomly generated non-reused value that is sent in the request and returned in the response to prevent cross-site request forgery (CSRF) attacks. For more information, see Best Practices for OAuth 2.0 in Azure AD.

Error Codes

The following table describes the error codes (error parameter values) that the Azure AD authorization endpoint returns.

Error code

Description

Client Action

invalid_request

Protocol error, such as a missing required parameter.

Fix and resubmit the request. For reference, use the protocol documentation and Authorization Code Grant Flow. This is a development error is typically caught during initial testing.

unauthorized_client

The client application is not permitted to request an authorization code.

This usually occurs when the client application is not registered in Azure AD or is not added to the user's Azure AD tenant. The application can prompt the user with instruction for installing the application and adding it to Azure AD. For more information, see Application Access.

access_denied

Resource owner denied consent

The client application can notify the user that it cannot proceed unless the user consents.

unsupported_response_type

The authorization server does not support the response type in the request.

Fix and resubmit the request. For reference, use the protocol documentation and Authorization Code Grant Flow. This is a development error is typically caught during initial testing.

server_error

The server encountered an unexpected error.

Retry the request. These errors can result from temporary conditions. The client application might explain to the user that its response is delayed due a temporary error.

temporarily_unavailable

The server is temporarily too busy to handle the request.

Retry the request. The client application might explain to the user that its response is delayed due a temporary condition.

invalid_resource

The target resource is invalid because it does not exist, Azure AD cannot find it, or it is not correctly configured.

This indicates the resource has not been configured in the tenant. The application can prompt the user with instruction for installing the application and adding it to Azure AD. For more information, see Application Access.

See Also

Error Handling in OAuth 2.0
OAuth 2.0 in Azure AD
Token Issuance Endpoint Errors
Errors from Secured Resources
Best Practices for OAuth 2.0 in Azure AD