Reputation: 61
MSAL Error message AADSTS65005 when trying to get token for accessing custom api
I downloaded the example below to get an access token from MS Graph and it worked fine. Now I changed the code to get a token from a custom web API. On apps.dev.microsoft.com I registered a client application and an the API.
Client and server registration in AD
private static async Task<AuthenticationResult> GetToken()
{
const string clientId = "185adc28-7e72-4f07-a052-651755513825";
var clientApp = new PublicClientApplication(clientId);
AuthenticationResult result = null;
string[] scopes = new string[] { "api://f69953b0-2d7f-4523-a8df-01f216b55200/Test" };
try
{
result = await clientApp.AcquireTokenAsync(scopes, "", UIBehavior.SelectAccount, string.Empty);
}
catch (Exception x)
{
if (x.Message == "User canceled authentication")
{
}
return null;
}
return result;
}
When I run the code I login to AD via the dialog en get the following exception in the debugger:
Error: Invalid client Message = "AADSTS65005: The application 'CoreWebAPIAzureADClient' asked for scope 'offline_access' that doesn't exist on the resource. Contact the app vendor.\r\nTrace ID: 56a4b5ad-8ca1-4c41-b961-c74d84911300\r\nCorrelation ID: a4350378-b802-4364-8464-c6fdf105cbf1\r...
Help appreciated trying for days...
Upvotes: 6
Views: 11303
Answers (3)
Reputation: 19184
For anyone still striking this problem, please read this:
https://www.andrew-best.com/posts/please-sir-can-i-have-some-auth/
You'll feel better after this guy reflects all of your frustrations, except that he works it out...
If using adal.js, for your scope you need to use
const tokenRequest = {
scopes: ["https://management.azure.com/user_impersonation"]
};
I spent a week using
const tokenRequest = {
scopes: ["user_impersonation"]
};
.. since that is the format that the graph API scopes took
Upvotes: 9
Reputation: 81791
In your (server) application registration in AAD, you need to specify your scopes in the oauth2Permissions element.
You may already have a user_impersonation scope set. Copy that as a baseline, give it a unique GUID and value, and then AAD will let your client request an access token with your new scope.
Upvotes: 0
Reputation: 12434
As of today, the V2 Endpoint does not support API access other than the Microsoft Graph. See the limitations of the V2 app model here.
Standalone Web APIs
You can use the v2.0 endpoint to build a Web API that is secured with OAuth 2.0. However, that Web API can receive tokens only from an application that has the same Application ID. You cannot access a Web API from a client that has a different Application ID. The client won't be able to request or obtain permissions to your Web API.
For the specific scenario that you are trying to accomplish, you need to use the V1 App Model (register apps on https://portal.azure.com).
In the very near future, V2 apps will be enabled to call other APIs other than Microsoft Graph, so your scenario will be supported, but that is just not the case today. You should keep an eye out on our documentation for this update.
Upvotes: 4
Related Questions
- Why do I get a AADSTS50196 request loop in C# when getting a access token?
- AADSTS700016: Failed to obtain access token when authenticating to Azure with MSAL
- AdalSilentTokenAcquisitionException when trying to acquire the token in c#
- MSAL - Problem acquiring token with IntegratedWindowsAuth
- Getting MsalServiceException: 'AADSTS501461 when trying to access a Web API from a console app using Msal
- Unauthorized request in Sharepoint API with MSAL token
- MSAL Web API Authorization has been denied for this request error
- Azure AD authentication token fails web api authorization
- Access Token do not include access for API with MSAL
- Web API on-behalf-of adal id_token error