Scopes for more than one resource

(0) Share

Report

Posted on by Galasso

Hi all,

following this tutorial I was able to configure the end user authentication.

However if I put in the "Scopes" field scopes related to more than one resources (e.g. MS Graph and custom API), the authentication will fail.

Is this a supported scenario (and I'm doing something wrong) or it is not?

Thanks,

Alessandro.

Categories:

General topics

I have the same question (0)

All responses (4)

Answers (1)

Sort by

CU22081450-0 Most Valuable Professional on at

Like (0)

Report
Copy link

Link copied!

Hi @Galasso ,

Did you use the space to separate the Scopes?

If yes, try to use a comma.

Was this reply helpful? Yes No
Galasso 26 on at

Like (0)

Report
Copy link

Link copied!
Hi Renato,
just tried to use this scope:
https://graph.microsoft.com/User.Read,https://AAAAA.onmicrosoft.com/BBBBB/XXXXX

but receiving following error:
{ "error": { "code": "ServiceError", "message": "Missing required query string parameter: code. Url = https://token.botframework.com/.auth/web/redirect?error=invalid_resource&error_description=AADSTS500011%3a+The+resource+principal+named+https%3a%2f%2fgraph.microsoft.com%2fUser.Read%2chttps%3a%2f%2fAAAAA.onmicrosoft.com%2fBBBBB+was+not+found+in+the+tenant+named+CCCCCC.+This+can+happen+if+the+application+has+not+been+installed+by+the+administrator+of+the+tenant+or+consented+to+by+any+user+in+the+tenant.+You+might+have+sent+your+authentication+request+to+the+wrong+tenant.%0d%0aTrace+ID%3a+DDDDD%0aCorrelation+ID%3a+EEEEEE%0aTimestamp%3a+2020-09-02+13%3a35%3a07Z&error_uri=https%3a%2f%2flogin.microsoftonline.com%2ferror%3fcode%3d500011&state=c6a54ed44b2745c98b28e37944fdca2d" } }
Scope List delimiter is set to ","
So, it seems that it is expecting the blank space.
Even if I use only MS Graph scopes separated by comma, it does not work:

{ "error": { "code": "ServiceError", "message": "Missing required query string parameter: code. Url = https://token.botframework.com/.auth/web/redirect?error=invalid_client&error_description=AADSTS650053%3a+The+application+%27SNSBot%27+asked+for+scope+%27Mail.Send%2cNotes.ReadWrite%2cTasks.ReadWrite%2cUser.Read%2cUser.ReadBasic.All%27+that+doesn%27t+exist+on+the+resource+%2700000003-0000-0000-c000-000000000000%27.+Contact+the+app+vendor.%0d%0aTrace+ID%3a+8e2ca637-0189-48ff-a2e4-88bd4dfa1900%0d%0aCorrelation+ID%3a+3accac6f-34c7-4ec7-b582-66158a41b275%0d%0aTimestamp%3a+2020-09-02+13%3a27%3a05Z&state=78cb4033e0a8450f8b6dd47f5d093e54" } }
or
{ "error": { "code": "ServiceError", "message": "Missing required query string parameter: code. Url = https://token.botframework.com/.auth/web/redirect?error=invalid_client&error_description=AADSTS650053%3a+The+application+%27SNSBot%27+asked+for+scope+%27Mail.Send%2cNotes.ReadWrite%2cTasks.ReadWrite%2cUser.Read%2cUser.ReadBasic.All%27+that+doesn%27t+exist+on+the+resource+%2700000003-0000-0000-c000-000000000000%27.+Contact+the+app+vendor.%0d%0aTrace+ID%3a+785ad923-7ee6-4db0-89d1-7246b9fb1b00%0d%0aCorrelation+ID%3a+e89bc6d3-4d82-40f7-bb5d-f609e7b6f584%0d%0aTimestamp%3a+2020-09-02+13%3a46%3a43Z&state=58ac2028a2414121a4365b6a282f45e4" } }

Was this reply helpful? Yes No
Verified answer

BoLi Microsoft Employee on at

Like (1)

Report
Copy link

Link copied!

Hi Galasso,
Thank you for your ask. Generate one token for multiple audiences are not supported by AAD today. MSGrapi api and custom api suppose should have different tokens. AAD today only take the first set of scopes and generate token for that while ignore the other sets. We are working with out dependent team to generate multiple tokens for different audience so you can use them seperately. So, in a word, we cannot do this today but are planning to support this feature in future.

Thanks
Bo

Was this reply helpful? Yes No
Galasso 26 on at

Like (0)

Report
Copy link

Link copied!

Hi @BoLi
thanks for your answer.

Alessandro.

Was this reply helpful? Yes No