Azure AD OAuth: Token refresh fails with AADSTS7000218 when using managed identity

Grafana Authentication
1

  • What Grafana version and what operating system are you using?
    Grafana main branch (also affects current releases). Running on Azure App Service (Linux, Docker).

  • What are you trying to achieve?
    Using Azure AD OAuth with client_authentication = managed_identity (User-Assigned Managed Identity) and refresh tokens enabled (use_refresh_token = true) for seamless session continuity.

  • How are you trying to achieve it?
    Configuration:
    [auth.azuread]
    enabled = true
    client_authentication = managed_identity
    managed_identity_client_id =
    federated_credential_audience = api://AzureADTokenExchange
    use_refresh_token = true
    use_pkce = true
    scopes = openid profile email offline_access

  • What happened?
    The initial login works perfectly. However, when the access token expires (~60 minutes), the token refresh fails silently and all users get logged out. This is because TokenSource() in azuread_oauth.go falls through to the default oauth2.Config.TokenSource(), which doesn’t include a client_assertion — unlike workload identity, which already has a dedicated azureADTokenSource handling this correctly.

  • What did you expect to happen?
    Token refresh should work transparently, just like it does for client_authentication = workload_identity. The session should continue without interruption.

  • Can you copy/paste the configuration(s) that you are having problems with?

  • Did you receive any errors in the Grafana UI or in related logs? If so, please tell us exactly what they were.
    Yes, on every token refresh attempt:
    logger=oauthtoken level=error msg=“Failed to retrieve oauth access token”
    provider=oauth_azuread
    error=“oauth2: “invalid_client” “AADSTS7000218: The request body must contain the following parameter:
    ‘client_assertion’ or ‘client_secret’.””

  • Did you follow any online instructions? If so, what is the URL?
    * Grafana docs for Azure AD OAuth configuration with managed identity.

    Additional context

    I’ve filed an issue and submitted a fix with production-verified before/after results:

    The fix adds a dedicated azureADManagedIdentityTokenSource following the same pattern as the existing workload identity token source. After deploying the fix: zero AADSTS7000218 errors, sessions refresh without interruption.

    Looking for maintainer review on the PR — it’s been open since Feb 26 with no reviews yet. Thanks!

2 Likes