Bug Report: Failed authentication with GitHub OIDC

[kenchan0130]

Description

Authentication fails when using GitHub OIDC for identity federation. The error occurs at the token endpoint during the access token issuance process, preventing successful authentication.

Steps to Reproduce

Please provide a step-by-step list of actions to reproduce the bug:

1. Define tf file
2. Execute terraform plan

terraform {
  required_providers {
    microsoft365 = {
      source  = "deploymenttheory/microsoft365"
      version = "0.29.3-alpha"
    }
  }
}

provider "microsoft365" {
  cloud       = "public"
  tenant_id   = "my-tenant-id"
  auth_method = "oidc_github"

  entra_id_options = {
    client_id = "my-client-id"
  }
}

data "microsoft365_graph_beta_device_and_app_management_application_category" "all_categories" {
  filter_type = "all"
}

Expected Behavior

The token endpoint should successfully issue an access token after the OIDC authentication flow completes.

Actual Behavior

The token endpoint returns an error during the access token issuance process. As a result, authentication fails and no access token is provided.

Environment

• OS: Linux
• Browser: n/a
• Terraform Version: 1.13.3
• Provider Version: v0.29.3-alpha
• Other dependencies: n/a

Additional Context

The same authentication error regarding missing grant_type occurs not only with data sources but also with resources.

I am using the AzureAD provider in the same environment, and GitHub OIDC is working without any issues.

The following is the result of executing terraform plan.

╷
│ Error: Internal Server Error - 500
│ 
│   with data.microsoft365_graph_beta_device_and_app_management_application_category.all_categories,
│   on main.tf line 9, in data "microsoft365_graph_beta_device_and_app_management_application_category" "all_categories":
│    9: data "microsoft365_graph_beta_device_and_app_management_application_category" "all_categories" {
│ 
│ Microsoft Graph API encountered an internal error. Please try again later.
│ Error: ClientAssertionCredential authentication failed. 
│ POST
│ https://login.microsoftonline.com/{my-tenant-id(masked)}/oauth2/v2.0/token
│ --------------------------------------------------------------------------------
│ RESPONSE 400: 400 Bad Request
│ --------------------------------------------------------------------------------
│ {
│   "error": "invalid_request",
│   "error_description": "AADSTS900144: The request body must contain the following parameter: 'grant_type'. Trace ID: ab9122a6-fc00-4f68-8530-e680c6f20700 Correlation ID: 732f5173-275b-418e-9960-d8be41a28fa7 Timestamp: 2025-09-17 08:13:01Z",
│   "error_codes": [
│     900144
│   ],
│   "timestamp": "2025-09-17 08:13:01Z",
│   "trace_id": "ab9122a6-fc00-4f68-8530-e680c6f20700",
│   "correlation_id": "732f5173-275b-418e-9960-d8be41a28fa7",
│   "error_uri": "https://login.microsoftonline.com/error?code=900144"
│ }
│ --------------------------------------------------------------------------------
│ 
│ Code: UnknownError
│ Description: An unknown error has occurred.
│ Category: service
╵

Possible Solution

n/a

Screenshots or Videos

n/a

Logs & Console Output

The relevant logs when setting TF_LOG=debug are as follows:

2025-09-17T08:13:00.7495244Z 2025-09-17T08:13:00.742Z [DEBUG] provider.terraform-provider-microsoft365_v0.29.3-alpha: Initialized  with Graph Client: @caller=github.com/deploymenttheory/terraform-provider-microsoft365/internal/client/graph_clients.go:204 @module=microsoft365 tf_data_source_type=microsoft365_graph_beta_device_and_app_management_application_category tf_req_id=b4a5bdac-f0be-8573-ceb3-268d920ae360 tf_provider_addr=registry.terraform.io/deploymenttheory/microsoft365 tf_rpc=ReadDataSource timestamp=2025-09-17T08:13:00.740Z
2025-09-17T08:13:00.7502039Z 2025-09-17T08:13:00.742Z [DEBUG] provider.terraform-provider-microsoft365_v0.29.3-alpha: Starting Read method for: _: tf_provider_addr=registry.terraform.io/deploymenttheory/microsoft365 tf_req_id=b4a5bdac-f0be-8573-ceb3-268d920ae360 tf_data_source_type=microsoft365_graph_beta_device_and_app_management_application_category tf_rpc=ReadDataSource @caller=github.com/deploymenttheory/terraform-provider-microsoft365/internal/services/datasources/device_and_app_management/graph_beta/application_category/read.go:19 @module=microsoft365 timestamp=2025-09-17T08:13:00.741Z
2025-09-17T08:13:00.7509087Z 2025-09-17T08:13:00.742Z [DEBUG] provider.terraform-provider-microsoft365_v0.29.3-alpha: Reading _ with filter_type: all: @caller=github.com/deploymenttheory/terraform-provider-microsoft365/internal/services/datasources/device_and_app_management/graph_beta/application_category/read.go:27 tf_data_source_type=microsoft365_graph_beta_device_and_app_management_application_category tf_rpc=ReadDataSource @module=microsoft365 tf_provider_addr=registry.terraform.io/deploymenttheory/microsoft365 tf_req_id=b4a5bdac-f0be-8573-ceb3-268d920ae360 timestamp=2025-09-17T08:13:00.741Z
2025-09-17T08:13:00.7516410Z 2025-09-17T08:13:00.742Z [INFO]  provider.terraform-provider-microsoft365_v0.29.3-alpha: read timeout configuration not found, using provided default: @module=microsoft365 tf_data_source_type=microsoft365_graph_beta_device_and_app_management_application_category tf_provider_addr=registry.terraform.io/deploymenttheory/microsoft365 tf_rpc=ReadDataSource @caller=github.com/hashicorp/terraform-plugin-framework-timeouts@v0.5.0/resource/timeouts/timeouts.go:139 tf_req_id=b4a5bdac-f0be-8573-ceb3-268d920ae360 timestamp=2025-09-17T08:13:00.741Z
2025-09-17T08:13:00.7520786Z data.microsoft365_graph_beta_device_and_app_management_application_category.all_categories: Reading...
2025-09-17T08:13:01.0514755Z 2025-09-17T08:13:01.050Z [DEBUG] provider.terraform-provider-microsoft365_v0.29.3-alpha: Requesting GitHub OIDC token: tf_rpc=ReadDataSource url=***** @caller=github.com/deploymenttheory/terraform-provider-microsoft365/internal/client/client_credential_factory.go:331 tf_provider_addr=registry.terraform.io/deploymenttheory/microsoft365 @module=microsoft365 audience=*** tf_data_source_type=microsoft365_graph_beta_device_and_app_management_application_category tf_req_id=b4a5bdac-f0be-8573-ceb3-268d920ae360 timestamp=2025-09-17T08:13:01.050Z
2025-09-17T08:13:01.5218574Z 2025-09-17T08:13:01.519Z [DEBUG] provider.terraform-provider-microsoft365_v0.29.3-alpha: Extracting error information: @module=microsoft365
2025-09-17T08:13:01.5219955Z   error=
2025-09-17T08:13:01.5220425Z   | ClientAssertionCredential authentication failed. 
2025-09-17T08:13:01.5221567Z   | POST https://login.microsoftonline.com/${my-tenant-id (masked)}/oauth2/v2.0/token
2025-09-17T08:13:01.5222977Z   | --------------------------------------------------------------------------------
2025-09-17T08:13:01.5223622Z   | RESPONSE 400: 400 Bad Request
2025-09-17T08:13:01.5224204Z   | --------------------------------------------------------------------------------
2025-09-17T08:13:01.5224779Z   | {
2025-09-17T08:13:01.5225165Z   |   "error": "invalid_request",
2025-09-17T08:13:01.5226719Z   |   "error_description": "AADSTS900144: The request body must contain the following parameter: 'grant_type'. Trace ID: ab9122a6-fc00-4f68-8530-e680c6f20700 Correlation ID: 732f5173-275b-418e-9960-d8be41a28fa7 Timestamp: 2025-09-17 08:13:01Z",
2025-09-17T08:13:01.5228315Z   |   "error_codes": [
2025-09-17T08:13:01.5228717Z   |     900144
2025-09-17T08:13:01.5229069Z   |   ],
2025-09-17T08:13:01.5229427Z   |   "timestamp": "2025-09-17 08:13:01Z",
2025-09-17T08:13:01.5229992Z   |   "trace_id": "ab9122a6-fc00-4f68-8530-e680c6f20700",
2025-09-17T08:13:01.5230671Z   |   "correlation_id": "732f5173-275b-418e-9960-d8be41a28fa7",
2025-09-17T08:13:01.5231621Z   |   "error_uri": "https://login.microsoftonline.com/error?code=900144"
2025-09-17T08:13:01.5232268Z   | }
2025-09-17T08:13:01.5232732Z   | --------------------------------------------------------------------------------
2025-09-17T08:13:01.5235918Z    error_type="*azidentity.AuthenticationFailedError" tf_data_source_type=microsoft365_graph_beta_device_and_app_management_application_category tf_req_id=b4a5bdac-f0be-8573-ceb3-268d920ae360 tf_rpc=ReadDataSource @caller=github.com/deploymenttheory/terraform-provider-microsoft365/internal/services/common/errors/kiota/error_handling.go:161 tf_provider_addr=registry.terraform.io/deploymenttheory/microsoft365 timestamp=2025-09-17T08:13:01.519Z
2025-09-17T08:13:01.5271425Z 2025-09-17T08:13:01.519Z [DEBUG] provider.terraform-provider-microsoft365_v0.29.3-alpha: Comprehensive error details: throttled_reason="" @module=microsoft365 target="" is_odata_error=false @caller=github.com/deploymenttheory/terraform-provider-microsoft365/internal/services/common/errors/kiota/error_handling.go:711 category=service correlation_id=""
2025-09-17T08:13:01.5273950Z   error_message=
2025-09-17T08:13:01.5274455Z   | ClientAssertionCredential authentication failed. 
2025-09-17T08:13:01.5275395Z   | POST https://login.microsoftonline.com/${my-tenant-id (masked)}/oauth2/v2.0/token
2025-09-17T08:13:01.5276358Z   | --------------------------------------------------------------------------------
2025-09-17T08:13:01.5277001Z   | RESPONSE 400: 400 Bad Request
2025-09-17T08:13:01.5277586Z   | --------------------------------------------------------------------------------
2025-09-17T08:13:01.5278149Z   | {
2025-09-17T08:13:01.5278489Z   |   "error": "invalid_request",
2025-09-17T08:13:01.5279979Z   |   "error_description": "AADSTS900144: The request body must contain the following parameter: 'grant_type'. Trace ID: ab9122a6-fc00-4f68-8530-e680c6f20700 Correlation ID: 732f5173-275b-418e-9960-d8be41a28fa7 Timestamp: 2025-09-17 08:13:01Z",
2025-09-17T08:13:01.5281686Z   |   "error_codes": [
2025-09-17T08:13:01.5282069Z   |     900144
2025-09-17T08:13:01.5282399Z   |   ],
2025-09-17T08:13:01.5282756Z   |   "timestamp": "2025-09-17 08:13:01Z",
2025-09-17T08:13:01.5283318Z   |   "trace_id": "ab9122a6-fc00-4f68-8530-e680c6f20700",
2025-09-17T08:13:01.5283976Z   |   "correlation_id": "732f5173-275b-418e-9960-d8be41a28fa7",
2025-09-17T08:13:01.5284717Z   |   "error_uri": "https://login.microsoftonline.com/error?code=900144"
2025-09-17T08:13:01.5285312Z   | }
2025-09-17T08:13:01.5285731Z   | --------------------------------------------------------------------------------
2025-09-17T08:13:01.5288061Z    error_code=UnknownError error_date="" tf_data_source_type=microsoft365_graph_beta_device_and_app_management_application_category tf_req_id=b4a5bdac-f0be-8573-ceb3-268d920ae360 tf_rpc=ReadDataSource request_id="" retry_after="" client_request_id="" status_code=500 tf_provider_addr=registry.terraform.io/deploymenttheory/microsoft365 timestamp=2025-09-17T08:13:01.519Z
2025-09-17T08:13:01.5313566Z 2025-09-17T08:13:01.519Z [DEBUG] provider.terraform-provider-microsoft365_v0.29.3-alpha: Handling Graph error:: @caller=github.com/deploymenttheory/terraform-provider-microsoft365/internal/services/common/errors/kiota/error_handling.go:81 inner_errors=0 tf_rpc=ReadDataSource correlation_id="" error_code=UnknownError error_details=0 request_id="" target="" tf_provider_addr=registry.terraform.io/deploymenttheory/microsoft365 tf_req_id=b4a5bdac-f0be-8573-ceb3-268d920ae360 @module=microsoft365
2025-09-17T08:13:01.5316829Z   error_message=
2025-09-17T08:13:01.5317343Z   | ClientAssertionCredential authentication failed. 
2025-09-17T08:13:01.5318240Z   | POST https://login.microsoftonline.com/${my-tenant-id (masked)}/oauth2/v2.0/token
2025-09-17T08:13:01.5319208Z   | --------------------------------------------------------------------------------
2025-09-17T08:13:01.5319812Z   | RESPONSE 400: 400 Bad Request
2025-09-17T08:13:01.5320404Z   | --------------------------------------------------------------------------------
2025-09-17T08:13:01.5321257Z   | {
2025-09-17T08:13:01.5321667Z   |   "error": "invalid_request",
2025-09-17T08:13:01.5323230Z   |   "error_description": "AADSTS900144: The request body must contain the following parameter: 'grant_type'. Trace ID: ab9122a6-fc00-4f68-8530-e680c6f20700 Correlation ID: 732f5173-275b-418e-9960-d8be41a28fa7 Timestamp: 2025-09-17 08:13:01Z",
2025-09-17T08:13:01.5325096Z   |   "error_codes": [
2025-09-17T08:13:01.5361389Z   |     900144
2025-09-17T08:13:01.5361812Z   |   ],
2025-09-17T08:13:01.5362188Z   |   "timestamp": "2025-09-17 08:13:01Z",
2025-09-17T08:13:01.5362779Z   |   "trace_id": "ab9122a6-fc00-4f68-8530-e680c6f20700",
2025-09-17T08:13:01.5363417Z   |   "correlation_id": "732f5173-275b-418e-9960-d8be41a28fa7",
2025-09-17T08:13:01.5364164Z   |   "error_uri": "https://login.microsoftonline.com/error?code=900144"
2025-09-17T08:13:01.5364786Z   | }
2025-09-17T08:13:01.5365272Z   | --------------------------------------------------------------------------------
2025-09-17T08:13:01.5366787Z    operation=Read tf_data_source_type=microsoft365_graph_beta_device_and_app_management_application_category category=service is_odata_error=false status_code=500 timestamp=2025-09-17T08:13:01.519Z
2025-09-17T08:13:01.5392636Z 2025-09-17T08:13:01.519Z [INFO]  provider.terraform-provider-microsoft365_v0.29.3-alpha: Graph API Error Metrics: @caller=github.com/deploymenttheory/terraform-provider-microsoft365/internal/services/common/errors/kiota/error_handling.go:548 has_error_details=false has_inner_errors=false is_odata_error=false operation=Read tf_provider_addr=registry.terraform.io/deploymenttheory/microsoft365 tf_rpc=ReadDataSource status_code=500 timestamp="1.758096781e+09" category=service metric_type=graph_api_error @module=microsoft365 error_code=UnknownError request_id="" tf_data_source_type=microsoft365_graph_beta_device_and_app_management_application_category tf_req_id=b4a5bdac-f0be-8573-ceb3-268d920ae360 timestamp=2025-09-17T08:13:01.519Z
2025-09-17T08:13:01.5398354Z 2025-09-17T08:13:01.519Z [ERROR] provider.terraform-provider-microsoft365_v0.29.3-alpha: Response contains error diagnostic: @caller=github.com/hashicorp/terraform-plugin-go@v0.28.0/tfprotov6/internal/diag/diagnostics.go:58
2025-09-17T08:13:01.5399931Z   diagnostic_detail=
2025-09-17T08:13:01.5400584Z   | Microsoft Graph API encountered an internal error. Please try again later.
2025-09-17T08:13:01.5401573Z   | Error: ClientAssertionCredential authentication failed. 
2025-09-17T08:13:01.5402540Z   | POST https://login.microsoftonline.com/${my-tenant-id (masked)}/oauth2/v2.0/token
2025-09-17T08:13:01.5403494Z   | --------------------------------------------------------------------------------
2025-09-17T08:13:01.5404132Z   | RESPONSE 400: 400 Bad Request
2025-09-17T08:13:01.5404737Z   | --------------------------------------------------------------------------------
2025-09-17T08:13:01.5405722Z   | {
2025-09-17T08:13:01.5406078Z   |   "error": "invalid_request",
2025-09-17T08:13:01.5407638Z   |   "error_description": "AADSTS900144: The request body must contain the following parameter: 'grant_type'. Trace ID: ab9122a6-fc00-4f68-8530-e680c6f20700 Correlation ID: 732f5173-275b-418e-9960-d8be41a28fa7 Timestamp: 2025-09-17 08:13:01Z",
2025-09-17T08:13:01.5409192Z   |   "error_codes": [
2025-09-17T08:13:01.5409584Z   |     900144
2025-09-17T08:13:01.5409886Z   |   ],
2025-09-17T08:13:01.5410236Z   |   "timestamp": "2025-09-17 08:13:01Z",
2025-09-17T08:13:01.5410799Z   |   "trace_id": "ab9122a6-fc00-4f68-8530-e680c6f20700",
2025-09-17T08:13:01.5431821Z   |   "correlation_id": "732f5173-275b-418e-9960-d8be41a28fa7",
2025-09-17T08:13:01.5432591Z   |   "error_uri": "https://login.microsoftonline.com/error?code=900144"
2025-09-17T08:13:01.5433195Z   | }
2025-09-17T08:13:01.5433653Z   | --------------------------------------------------------------------------------
2025-09-17T08:13:01.5434245Z   | 
2025-09-17T08:13:01.5434594Z   | Code: UnknownError
2025-09-17T08:13:01.5435052Z   | Description: An unknown error has occurred.
2025-09-17T08:13:01.5435553Z   | Category: service
2025-09-17T08:13:01.5437939Z    tf_proto_version=6.9 tf_req_id=b4a5bdac-f0be-8573-ceb3-268d920ae360 tf_rpc=ReadDataSource @module=sdk.proto diagnostic_severity=ERROR diagnostic_summary="Internal Server Error - 500" tf_data_source_type=microsoft365_graph_beta_device_and_app_management_application_category tf_provider_addr=registry.terraform.io/deploymenttheory/microsoft365 timestamp=2025-09-17T08:13:01.519Z
2025-09-17T08:13:01.5441554Z 2025-09-17T08:13:01.521Z [ERROR] vertex "data.microsoft365_graph_beta_device_and_app_management_application_category.all_categories" error: Internal Server Error - 500
2025-09-17T08:13:01.5443519Z 2025-09-17T08:13:01.521Z [ERROR] vertex "data.microsoft365_graph_beta_device_and_app_management_application_category.all_categories (expand)" error: Internal Server Error - 500

Related Issues

n/a

Priority

Medium (Needs to be fixed but not urgent)

[elmo222]

I have the same error

[kenchan0130]

I'm not very familiar with the internals, but based on the test at https://github.com/deploymenttheory/terraform-provider-microsoft365/blob/main/internal/client/client_credential_factory_test.go#L173, it seems the issue might be caused by the audience not using the value from the MS365_OIDC_AUDIENCE environment variable or api://AzureADTokenExchange.

https://github.com/deploymenttheory/terraform-provider-microsoft365/blob/main/internal/client/client_credential_factory.go#L326-L327

I was considering writing a patch to fix this, but since I'm not entirely confident in this assumption, I decided to open an issue first to confirm whether this is indeed the root cause.

[ShocOne]

Hi @kenchan0130 , im on holiday at the moment. Have you tried following the steps outlined here ? https://registry.terraform.io/providers/deploymenttheory/microsoft365/latest/docs/guides/oidc_github . If yes and the issue persists I'll take a look at this issue next week. Thanks.

[kenchan0130]

Hi @ShocOne, enjoy the rest of your holiday!

Have you tried following the steps outlined here?
https://registry.terraform.io/providers/deploymenttheory/microsoft365/latest/docs/guides/oidc_github

yes.

I also tried executing the following steps on my case, and I have been able to confirm that OIDC from GitHub Actions to the Entra ID application is working as expected.

- uses: azure/login@a457da9ea143d694b1b9c7c869ebb04ebe844ef5 # v2.3.0
  with:
    client-id: ${{ secrets.ENTRA_ID_CLIENT_ID }}
    tenant-id: ${{ secrets.ENTRA_ID_TENANT_ID }}
    allow-no-subscriptions: true

▶ Run azure/login@a457da9ea143d694b1b9c7c869ebb04ebe844ef5
Running Azure CLI Login.
/usr/bin/az cloud set -n azurecloud
Done setting cloud: "azurecloud"
Federated token details:
 issuer - https://token.actions.githubusercontent.com/
 subject claim - repo:my-company/kenchan0130-terraform:ref:refs/heads/main
 audience - api://AzureADTokenExchange
 job_workflow_ref - my-company/kenchan0130-terraform/.github/workflows/azuread-terraform-apply.yml@refs/heads/main
Attempting Azure CLI login by using OIDC...
Azure CLI login succeeds by using OIDC.

[ShocOne]

Hi @kenchan0130 , thanks for confirming. I'll take a look when im back from leave.