Reputation: 461
v2 app model, Office365 for native apps: AADSTS65005: Dynamic scope is invalid
I have a problem with the Azure AD v2 authentication endpoint (v2 app model). Our application uses this endpoint and uses the Outlook REST API's. I have two testaccounts:
- a dev outlook.com account
- an office365 account
I have build 2 ways of logging in:
- Web Implicit flow
- Native public client (no secret)
In total 4 scenario's:
- outlook.com with Web Implicit WORKS
- outlook.com with Native public client WORKS
- Office 365 with Web Implicit WORKS
- Office 365 with Native public client FAILS
The last scenario fails and we need it to work. It uses exactly the same code as the outlook.com scenario which works. First we let the user login in a webcontrol, then the user accepts the permissions and then we get the id token.
We then use that to get the Access token and it fails for Office 365 with AADSTS65005: Dynamic scope is invalid: application...
See request details below.
Why? Can anyone reproduce or please help ?
Regards,
Jeroen
Request: https://login.microsoftonline.com/common/oauth2/v2.0/token
client_id=b75022be-f556-40ec-9785-c3639e65158b&
redirect_uri=urn:ietf:wg:oauth:2.0:oob&
code=CODE_REMOVED_FOR_EXAMPLE&
session_state=98fb6ce4-e219-4265-8347-cc64199895a8&
grant_type=authorization_code
Response: HTTP/1.1 400 Bad Request
{
"error":"unauthorized_client",
"error_description":"AADSTS65005: Dynamic scope is invalid: application 00000000-0000-0000-0000-000000000000 does not exist. Request ID: 94cd9ca3-c376-4d94-854e-bfc4f7ac3161, Timestamp: 02/26/2016 14:06:55\r\nTrace ID: 727ebe28-e7e2-4817-87fc-5f94b637c00e\r\nCorrelation ID: e4c5a448-3ba4-4de6-aaa9-df2f9c501ca5\r\nTimestamp: 2016-02-26 14:06:55Z",
"error_codes":[65005],
"timestamp":"2016-02-26 14:06:55Z",
"trace_id":"727ebe28-e7e2-4817-87fc-5f94b637c00e",
"correlation_id":"e4c5a448-3ba4-4de6-aaa9-df2f9c501ca5"
}
Upvotes: 3
Views: 279
Answers (1)
Reputation: 461
I resolved the issue, it appeared that "scope=" parameter is also required in the request to https://login.microsoftonline.com/common/oauth2/v2.0/token. It works now. A little bit strange that for outlook.com it also works without this parameter.
Upvotes: 2
Related Questions
- Microsoft identity platform and OAuth 2.0 Resource Owner Password Credentials facing problem
- Error while fetching refresh token from Azure AD
- The provided value for the input parameter 'scope' is not valid when calling Access Token API
- JMeter Performance testing is failing at OAuth2 authorization - Token expired
- Microsoft Graph API ERROR:unauthorized_client while integrate with WSO2 EI
- How can I find the service principal secret of my AKS cluster?
- Azure access token not working
- Invalid grant while accessing PowerBi api
- Error while trying to get token for outlook REST api
- Subject must match Issuer claim in the client assertion