Handling Error AADSTS54005
App Dev Manager Nicholas McCollum shares insight into a recent update to Microsoft Azure Active Directory to bring AAD in line with the OAuth specification.
On November 15, 2018 an update to Microsoft Azure Active Directory was released to bring AAD in line with the OAuth specification. This update prevents an authorization code from being used to obtain access tokens for multiple resources. The full release notes for this change can be found here.
Prior to this change it was typical for ASP.Net and ASP.Net Core applications that were leveraging the OpenID Connect OWIN middleware for authentication to place code in the AuthorizationCodeReceived notification (ASP.Net) or OnAuthorizationCodeReceived event (ASP.Net Core) to obtain access tokens for any additional APIs or resources the application would need to access using the authorization code returned by AAD. Following the change implemented on November 15, 2018, only the first request to retrieve an access token using the authorization code will succeed. Subsequent requests for access tokens for additional resources will fail with the following error message:
AADSTS70002: Error validating credentials. AADSTS54005: OAuth2 Authorization code was already redeemed, please retry with a new valid code or use an existing refresh token.