[bug]: AADSTS7000215: Invalid client secret provided even with valid secret

[Breee]

Is there an existing issue for this?

• I have searched the existing issues

Current behavior

Env vars:

MICROSOFT_CLIENT_ID=<client>
MICROSOFT_CLIENT_SECRET=<secret>
MICROSOFT_SCOPE=user.read
MICROSOFT_TENANT=<tenant>
MICROSOFT_CALLBACK_URL=https://backend.example.com/v1/auth/microsoft/callback
VITE_ALLOWED_AUTH_PROVIDERS=MICROSOFT

With a fresh created secret in my Azure App registration leads to:

[Nest] 42  - 02/28/2024, 10:59:21 AM   ERROR [ExceptionsHandler] AADSTS7000215: Invalid client secret provided. Ensure the secret being sent in the request is the client secret value, not the client secret ID, for a secret added to app '<client>'. Trace ID: <trace_id> Correlation ID: <correlation_id> Timestamp: 2024-02-28 10:59:21Z

I'm using terraform to deploy the app registration:

[...]  
resource "azuread_application" "aadclient" {
  display_name     = "${var.dns_name}"
  sign_in_audience = "AzureADMyOrg"
  owners           = concat([data.azuread_client_config.current.object_id], data.azuread_users.application_owner_list.object_ids)
  web {

    redirect_uris = [
      "https://backend.${var.dns_name}/v1/auth/microsoft/callback"
    ]

    implicit_grant {
      access_token_issuance_enabled = true
      id_token_issuance_enabled     = true
    }
  }

  app_role {
    allowed_member_types = ["User", "Application"]
    description          = "Hoppscotch owner Users"
    display_name         = "Hoppscotch owner"
    enabled              = true
    id                   = random_uuid.owner_role_uuid.result
    value                = "OWNER"
  }

  app_role {
    allowed_member_types = ["User", "Application"]
    description          = "Hoppscotch Editor Users"
    display_name         = "Hoppscotch Editor"
    enabled              = true
    id                   = random_uuid.editor_role_uuid.result
    value                = "EDITOR"
  }

  app_role {
    allowed_member_types = ["User", "Application"]
    description          = "Hoppscotch Viewer Users"
    display_name         = "Hoppscotch Viewer"
    enabled              = true
    id                   = random_uuid.viewer_role_uuid.result
    value                = "VIEWER"
  }

}

## Client Secrets will expire at some point, so they have to rotate
resource "time_rotating" "client_secret_rotation_days" {
  rotation_days = 120
}

resource "azuread_application_password" "client_secret" {
  application_object_id = azuread_application.aadclient.object_id
  display_name          = "${var.dns_name}"
  rotate_when_changed = {
    rotation = time_rotating.client_secret_rotation_days.id
  }
}
[...] 

The correct client ID and secret is passed to hoppscotch.
It used to work, so i don't know what changed.

Steps to reproduce

Environment

Production

Version

Self-hosted

[muellerst-hg]

Tested the setup:
2023.8.4 works
2023.12.0 broken
2023.12.5 broken
2023.12.6 broken

[muellerst-hg]

Any idea how I can help to investigate?
Is there a way to increase severity level to debug logs?