OAuth token request failures (MSAL)

I’m using Azure Identity/MSAL to secure my API. When I go through the plugin installation process, I successfully log in and I’m redirected back to Open AI, but then I get a message inside of the chat, “Couldn’t log in with plugin”.

In Azure AD, I can see the sign-in was successful, but I can’t see any token request failures (though I may be looking in the wrong spot… I’m looking under Enterprise Applications->Sign-in Logs).

Does anyone have any ideas about what I might be doing wrong? Is it possible to get the request logs from Open AI?

The auth section of my ai-plugin.json file looks like:

"auth": {
    "type": "oauth",
    "client_url": "https://login.microsoftonline.com/common/oauth2/v2.0/authorize",
    "scope": "api://<some random guid>/Time.Read",
    "authorization_url": "https://login.microsoftonline.com/common/oauth2/v2.0/token",
    "authorization_content_type": "application/json",
    "verification_tokens": {
      "openai": "<my verification token>"
    }
  }

And the callback URL is similar to:

https://chat.openai.com/aip/plugin-<my plugin id>/oauth/callback?code=0.ASkAFlM0bXqHZEmfaxqymWBVvzTHiYnH0DFLqZ7XcqqR1....

Update 5/15 @ 21:30 PST:
I found the logs I was looking for in the browser dev tools. After successfully getting redirected back to the callback URL, it makes a request to

https://oxxxxx.ingest.sentry.io/api/<########>/envelope/?sentry_key=<some key>&sentry_version=7&sentry_client=sentry.javascript.nextjs/7.50.0

This returns a 429 response.
Then there is another call to the callback URL with a 500 response. And the error detail is “Error forwarding auth: Missing access_token”. I can’t see the request to the token endpoint, but I see the auth code being returned from the auth endpoint.

I’ve also tried to change the plugin name in the ai-plugin.json file, and reuploaded it a few times, but I always get the same plugin ID/callback URL.

I have no idea where I’m going wrong, and any help would be greatly appreciated.

1 Like

I finally found the solution. Posting it in case anyone else encounters the same issue. I set the content type to “application/json”, when I should have set it to “application/x-www-form-urlencoded”.

This is what the auth section of the ai-plugin.json file should look like for OAuth via Azure AD…

"auth": {
    "type": "oauth",
    "client_url": "https://login.microsoftonline.com/common/oauth2/v2.0/authorize",
    "scope": "<your_scope(s)>",
    "authorization_url": "https://login.microsoftonline.com/common/oauth2/v2.0/token",
    "authorization_content_type": "application/x-www-form-urlencoded",
    "verification_tokens": {
       "openai": "<your_verification_token>"
    }
}
1 Like

I am also working on support MSA in plugin. It is happy to see that you have already achieved some progress in this area. Just curious are you successfully get the token? Are the token AAD or MSA? @3o8