Token refresh fails with invalid_client error

Question

I have a refresh token issued by app A. This refresh token is stored in an Azure Key Vault, to which app B has access. App B now takes this refreh token and exchanges it for an access token.

Unfortunately this exchange fails with the message

"error": "invalid_client",
"error_description": "AADSTS7000215: Invalid client secret is provided."

The client secret is correct though. I was able to acquire an access token to the Key Vault with it.

This is the HTTP request for the refresh token exchange taken from Fiddler (I have removed all secrets and ids):

POST https://login.microsoftonline.com/{TenantId}/oauth2/token HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US)  WindowsPowerShell/5.1.17763.134
Host: login.microsoftonline.com
Content-Length: 1221
Connection: Keep-Alive

grant_type=refresh_token
&client_id={ClientId}
&client_secret={ClientSecret}
&resource=https%3A%2F%2Fvault.azure.net
&redirect_uri=https%3A%2F%2Flocalhost%2F
&refresh_token={RefreshToken}

What is going here?

PS: I know it's wild storing a refresh token in a Key Vault, but that's Microsofts recommended way of accessing the CSP Partner API.

Answer 1

Same as the Rohit said, the resource should be the app that you want to access. For the details about this, you could refer to here.