Azure Notification Hubs
An Azure service that is used to send push notifications to all major platforms from the cloud or on-premises environments.
Cannot send a Toast Notification through Notification Hub Error: The Token obtained from the Token Provider is wrong
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(192, 81%, 28%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EGH%3C/text%3E%3C/svg%3E)
Gary Hustis
0
Reputation points
I have set up a Notification Hub and have configured my app as described in this tutorial: https://learn.microsoft.com/en-us/azure/notification-hubs/notification-hubs-windows-store-dotnet-get-started-wns-push-notification . I have configured the app through the store & entered the config values in Notification Hub. I have double & triple checked that the values are accurate. In my app I register with Azure tike this:
var channel = await PushNotificationChannelManager.CreatePushNotificationChannelForApplicationAsync();
var hub = new NotificationHub(Secrets.HubName, Secrets.HubConnectionString);
channelID = channel.Uri;
var _date = DateTime.Now.ToString();
var result = await hub.RegisterNativeAsync(channelID);
string registraionID = result.RegistrationId;
The app becomes registered & I get a registratioID back. But when I attempt to send a toast test message using the toast format provided by the Azure Hub
<?xml version="1.0" encoding="utf-8"?>
<toast>
<visual><binding template="ToastText01">
<text id="1">Test message</text>
</binding>
</visual>
</toast>
I get the error: The Token obtained from the Token Provider is wrong. All searches imply that this error refers to the fact that the credentials do not match between the application & the HUB. But I assure you that they do match. I have checked for typo's or wrong entries and have painstakingly assured that credential are in sync.
I have used external tools like Powershell to retrieve an token and send a notification directly to WNS and it fails to authenticate. I have used this method in my test app to retrieve credentials and I get a token back successfully:
private static async Task<string> GetWnsAccessToken(string sid, string secret)
{
string _date = DateTime.Now.ToString();
using (var client = new HttpClient())
{
var body = $"grant_type=client_credentials&client_id={Uri.EscapeDataString(sid)}&client_secret={Uri.EscapeDataString(secret)}&scope=notify.windows.com";
var content = new StringContent(body, Encoding.UTF8, "application/x-www-form-urlencoded");
var response = await client.PostAsync("https://login.live.com/accesstoken.srf", content);
try
{
var glh = response.EnsureSuccessStatusCode();
if (!glh.IsSuccessStatusCode)
{
File.AppendAllText("WnsLog.txt", $"{_date}: GetWnsAccessToken-Failed Getting token:\n {glh.StatusCode}\n");
}
}
catch(Exception ex)
{
File.AppendAllText("WnsLog.txt", $"{_date}: GetWnsAccessToken-Error Getting token:\n {ex.Message}\n");
}
var json = await response.Content.ReadAsStringAsync();
using var doc = System.Text.Json.JsonDocument.Parse(json);
return doc.RootElement.GetProperty("access_token").GetString();
}
}
But when it's used it is rejected "Forbidden".
The only thing that seems to be not in sync, but all instructions, and validations imply it should be this way is the Package SID. Notification Hub Settings requires the SID to be prepended with 'ms-app://'. Where as in the Partner Center the SID has no such prefix. Is this an issue?
Where should I be looking to solve this? Is there some undocumented item that I'm missing. Any help would be appreciated.
Azure Notification Hubs
{count} votes
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(6.4, 59%, 10%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESR%3C/text%3E%3C/svg%3E)
Srikanth Reddy Bandi 255 Reputation points Microsoft External Staff Moderator2025-08-19T04:58:41.7066667+00:00 Hello Gary Hustis,
Thank you for submitting your question on Microsoft Q&A.
We have sent you a private message requesting some additional information to help us better understand of this issue, kindly review the message and provide the requested details.
-
Gary Hustis 0 Reputation points
2025-08-19T19:53:32.3166667+00:00 I responded to the private message this morning
-
Srikanth Reddy Bandi 255 Reputation points Microsoft External Staff Moderator
2025-08-20T05:21:56.7733333+00:00 Gary Hustis Thank you for providing such thorough details. Let’s tackle each of your points with clear solutions.
1. Package SID and 'ms-app://' Prefix
The '
ms-app://' prefix is a required part of Azure Notification Hub configuration for Windows Store apps, even though it’s not shown in Partner Center. This is by design, and it ensures that notifications are routed correctly.2. "Forbidden" Error with Access Token
Receiving a "Forbidden" error, despite having a valid access token, highlights an authorization gap. The token likely lacks the necessary scopes or permissions. It’s essential to confirm that your App Registration in Azure Active Directory has the right permissions for Notification Hub operations.
3. Client ID and Secret
You made the right decision by keeping your Client ID and Secret confidential. Protecting these credentials is critical for maintaining security.
4. Network Issues
With network connectivity confirmed, we can eliminate network issues as a cause. The problem is almost certainly tied to authorization or configuration.
5. Device Registration Process
Your device registration code is implemented correctly. The
hub.RegisterNativeAsync(channelID)method uses the connection string as intended, and successful registration confirms this part is working. The "Forbidden" error when sending notifications points to a permissions issue with the access token, not with your client code.Recommended Next Steps
- Review App Registration Permissions: Ensure your app registration in Azure has the necessary API permissions, such as
user_impersonationfor the Azure Service Management API. - Verify Access Token Scope: When generating the access token, confirm you’re requesting the right scope, such as https://notificationhubs.windows.net/.default..
- Compare Authentication Methods:
- The
hub.RegisterNativeAsync()method uses the SAS from your connection string, which works as expected. - The "Forbidden" error arises when your external code uses an OAuth 2.0 access token, indicating an authentication difference.
- The
- Test with SAS: Attempt to send a notification using the Shared Access Signature instead of the OAuth 2.0 token. If this succeeds, it confirms the access token’s permissions are the root cause.
- Review App Registration Permissions: Ensure your app registration in Azure has the necessary API permissions, such as
-
Srikanth Reddy Bandi 255 Reputation points Microsoft External Staff Moderator
2025-08-22T07:25:16.48+00:00 Hello Gary Hustis,
The main issue is that there's a mismatch between the token endpoint you're using (login.live.com) and the type of application registration you likely have (Microsoft Entra ID). The
login.live.comendpoint is intended for older Microsoft Account (MSA) apps, while most current apps use Microsoft Entra ID.Although you’re able to get a token from
login.live.com, the WNS endpoint expects a token from a Microsoft Entra ID tenant, so it rejects the token and the request fails.
The Cause: Incorrect Authentication Endpoint
Your code currently uses an endpoint meant for Microsoft Account (MSA) authentication:
https://login.live.com/accesstoken.srf
For applications registered in Azure (Microsoft Entra ID), you need to use the Microsoft Entra ID endpoint.
The Solution: Update Endpoint and Scope
To resolve this, update both the token endpoint and the scope in your code.
- Update the Token Endpoint:
- Use https://login.microsoftonline.com/{tenant_id}/oauth2/v2.0/token as your endpoint.
- Your tenant_id is available in the Azure portal under the Overview page of your Microsoft Entra ID instance.
- Update the Scope:
- While notify.windows.com is correct, for Microsoft Entra ID apps, use the .default scope to request all API permissions assigned to your app.
Corrected Code Example:
// The correct endpoint for modern applications var tenantId = "YOUR_TENANT_ID"; var tokenEndpoint = $"https://login.microsoftonline.com/{tenantId}/oauth2/v2.0/token"; // The modern, recommended scope var scope = "https://api.wns.windows.com/.default"; var body = $"grant_type=client_credentials&client_id={Uri.EscapeDataString(sid)}&client_secret={Uri.EscapeDataString(secret)}&scope={Uri.EscapeDataString(scope)}"; var content = new StringContent(body, Encoding.UTF8, "application/x-www-form-urlencoded"); // Change the PostAsync URI to the new endpoint var response = await client.PostAsync(tokenEndpoint, content);Relevant Microsoft Documentation:
Microsoft provides documentation on this process:
- Windows Push Notification Services (WNS) Authentication: Explains WNS authentication, the client credentials flow, and the difference between MSA and Microsoft Entra ID endpoints.
- Get access without a signed-in user: Details the client credentials flow and the use of the .default scope and Microsoft Entra ID endpoint.
- Update the Token Endpoint:
Sign in to comment