AADSTS90019: No tenant-identifying information found in either the request or implied by any provided credentials

Question

Hi i want to implement the Office365 SSO login. I've created an account and following now this documentation: https://msdn.microsoft.com/en-us/library/azure/dn645542.aspx

I'm at the point where i got the code and now want to implement "Use the Authorization Code to Request an Access Token"

But i get an error: AADSTS90019: No tenant-identifying information found in either the request or implied by any provided credentials.

Here is an detailed log of my call:

http-bio-8080-exec-10 29/06/2015 14:45:37,496 | DEBUG | org.apache.http.wire | wire | http-outgoing-3 >> "POST /common/oauth2/token HTTP/1.1[\r][\n]"
http-bio-8080-exec-10 29/06/2015 14:45:37,496 | DEBUG | org.apache.http.wire | wire | http-outgoing-3 >> "Content-Length: 810[\r][\n]"
http-bio-8080-exec-10 29/06/2015 14:45:37,497 | DEBUG | org.apache.http.wire | wire | http-outgoing-3 >> "Content-Type: application/x-www-form-urlencoded[\r][\n]"
http-bio-8080-exec-10 29/06/2015 14:45:37,497 | DEBUG | org.apache.http.wire | wire | http-outgoing-3 >> "Host: login.microsoftonline.com[\r][\n]"
http-bio-8080-exec-10 29/06/2015 14:45:37,498 | DEBUG | org.apache.http.wire | wire | http-outgoing-3 >> "Connection: Keep-Alive[\r][\n]"
http-bio-8080-exec-10 29/06/2015 14:45:37,499 | DEBUG | org.apache.http.wire | wire | http-outgoing-3 >> "User-Agent: Apache-HttpClient/4.3.5 (java 1.5)[\r][\n]"
http-bio-8080-exec-10 29/06/2015 14:45:37,499 | DEBUG | org.apache.http.wire | wire | http-outgoing-3 >> "Accept-Encoding: gzip,deflate[\r][\n]"
http-bio-8080-exec-10 29/06/2015 14:45:37,500 | DEBUG | org.apache.http.wire | wire | http-outgoing-3 >> "[\r][\n]"
http-bio-8080-exec-10 29/06/2015 14:45:37,501 | DEBUG | org.apache.http.wire | wire | http-outgoing-3 >> "client_id=XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX&redirect_uri=http%3A%2F%2Flocalhost%3A8080%2FXXXXXXXXX%2FREST%2FUser%2Foffice&client_secret=XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX&code=XXXXXXXXXXXXXXXXXXX&grant_type=authorization_code"
http-bio-8080-exec-10 29/06/2015 14:45:37,570 | DEBUG | org.apache.http.wire | wire | http-outgoing-3 << "H"
http-bio-8080-exec-10 29/06/2015 14:45:37,571 | DEBUG | org.apache.http.wire | wire | http-outgoing-3 << "TTP/1.1 400 Bad Request[\r][\n]"
http-bio-8080-exec-10 29/06/2015 14:45:37,572 | DEBUG | org.apache.http.wire | wire | http-outgoing-3 << "Cache-Control: no-cache, no-store[\r][\n]"
http-bio-8080-exec-10 29/06/2015 14:45:37,572 | DEBUG | org.apache.http.wire | wire | http-outgoing-3 << "Pragma: no-cache[\r][\n]"
http-bio-8080-exec-10 29/06/2015 14:45:37,573 | DEBUG | org.apache.http.wire | wire | http-outgoing-3 << "Content-Type: application/json; charset=utf-8[\r][\n]"
http-bio-8080-exec-10 29/06/2015 14:45:37,573 | DEBUG | org.apache.http.wire | wire | http-outgoing-3 << "Expires: -1[\r][\n]"
http-bio-8080-exec-10 29/06/2015 14:45:37,574 | DEBUG | org.apache.http.wire | wire | http-outgoing-3 << "Server: Microsoft-IIS/8.5[\r][\n]"
http-bio-8080-exec-10 29/06/2015 14:45:37,575 | DEBUG | org.apache.http.wire | wire | http-outgoing-3 << "x-ms-request-id: c7702631-895c-4c6c-bad1-691ced9259f5[\r][\n]"
http-bio-8080-exec-10 29/06/2015 14:45:37,575 | DEBUG | org.apache.http.wire | wire | http-outgoing-3 << "x-ms-gateway-service-instanceid: ESTSFE_IN_3[\r][\n]"
http-bio-8080-exec-10 29/06/2015 14:45:37,576 | DEBUG | org.apache.http.wire | wire | http-outgoing-3 << "X-Content-Type-Options: nosniff[\r][\n]"
http-bio-8080-exec-10 29/06/2015 14:45:37,576 | DEBUG | org.apache.http.wire | wire | http-outgoing-3 << "Strict-Transport-Security: max-age=31536000; includeSubDomains[\r][\n]"
http-bio-8080-exec-10 29/06/2015 14:45:37,577 | DEBUG | org.apache.http.wire | wire | http-outgoing-3 << "P3P: CP="DSP CUR OTPi IND OTRi ONL FIN"[\r][\n]"
http-bio-8080-exec-10 29/06/2015 14:45:37,578 | DEBUG | org.apache.http.wire | wire | http-outgoing-3 << "Set-Cookie: flight-uxoptin=true; path=/; secure; HttpOnly[\r][\n]"
http-bio-8080-exec-10 29/06/2015 14:45:37,578 | DEBUG | org.apache.http.wire | wire | http-outgoing-3 << "Set-Cookie: x-ms-gateway-slice=productiona; path=/; secure; HttpOnly[\r][\n]"
http-bio-8080-exec-10 29/06/2015 14:45:37,579 | DEBUG | org.apache.http.wire | wire | http-outgoing-3 << "Set-Cookie: stsservicecookie=ests; path=/; secure; HttpOnly[\r][\n]"
http-bio-8080-exec-10 29/06/2015 14:45:37,580 | DEBUG | org.apache.http.wire | wire | http-outgoing-3 << "X-Powered-By: ASP.NET[\r][\n]"
http-bio-8080-exec-10 29/06/2015 14:45:37,580 | DEBUG | org.apache.http.wire | wire | http-outgoing-3 << "Date: Mon, 29 Jun 2015 12:45:48 GMT[\r][\n]"
http-bio-8080-exec-10 29/06/2015 14:45:37,581 | DEBUG | org.apache.http.wire | wire | http-outgoing-3 << "Content-Length: 501[\r][\n]"
http-bio-8080-exec-10 29/06/2015 14:45:37,581 | DEBUG | org.apache.http.wire | wire | http-outgoing-3 << "[\r][\n]"
http-bio-8080-exec-10 29/06/2015 14:45:37,582 | DEBUG | org.apache.http.wire | wire | http-outgoing-3 << "{"error":"invalid_request","error_description":"AADSTS90019: No tenant-identifying information found in either the request or implied by any provided credentials.\r\nTrace ID: c7702631-895c-4c6c-bad1-691ced9259f5\r\nCorrelation ID: bd641f9d-9982-4808-b7ba-95d3dc0ba8d9\r\nTimestamp: 2015-06-29 12:45:49Z","error_codes":[90019],"timestamp":"2015-06-29 12:45:49Z","trace_id":"c7702631-895c-4c6c-bad1-691ced9259f5","correlation_id":"bd641f9d-9982-4808-b7ba-95d3dc0ba8d9","submit_url":null,"context":null}"

This is how i configured the APP

Answer 1

The account used in your case is a Microsoft Account and not an Organizational Account / AAD Account. Unfortunately, Microsoft Accounts do not work at the common endpoint. If the Microsoft Account is a guest in an Azure AD tenant, then you can put that tenant name in the authority endpoint, in place of 'common', and that should work. Obviously you must know the tenant you want ahead of time.

You can run in to a similar issue when using an Organizational Account. If the Organizational Account is a guest in another tenant, or multiple tenants, then you must specify the specific tenant that you want the token issued by.