Reputation: 381
Azure AD Access token in not found Scope (scp)
I have created a multi-tenant application in Azure AD When I trying to get access token and check in jwt.io I found scp (Scope) is missing.
//string authority = "https://login.microsoftonline.com/{0}/common/oauth2/v2.0/token?&response_type=code&scope=openid%20profile%20User.ReadWrite%20User.ReadBasic.All%20Sites.ReadWrite.All%20Contacts.ReadWrite%20People.Read%20Notes.ReadWrite.All%20Tasks.ReadWrite%20Mail.ReadWrite%20Files.ReadWrite.All%20Calendars.ReadWrite";
//string authority = "https://login.microsoftonline.com/{0}/common/oauth2/v2.0/token?&scope=https://graph.windows.net/directory.read%20https://graph.windows.net/directory.write";
//string authority = "https://login.microsoftonline.com/{0}/common/oauth2/v2.0/token";
//string authority = "https://login.microsoftonline.com/{0}";
//string authority = "https://login.microsoftonline.com/{0}/common/oauth2/v2.0/token?&response_type=code&scope=openid%20profile%20User.Read%20User.ReadWrite%20User.ReadBasic.All";
//string authority = "https://login.microsoftonline.com/{0}/oauth2/token?scope=User.ReadBasic.All";
//string authority = "https://login.microsoftonline.com/{0}/oauth2/token?scope=User.ReadBasic.All";
string authority = "https://login.microsoftonline.com/common/oauth2/v2.0/token?response_type=token&scope=User.ReadBasic.All";
I have tried many combinations for authority URL
string graphResourceId = "https://graph.microsoft.com";
string clientId = "XXXX";
string secret = "XXXX";
authority = String.Format(authority, tenantId);
AuthenticationContext authContext = new AuthenticationContext(authority);
var accessToken = authContext.AcquireTokenAsync(graphResourceId, new ClientCredential(clientId, secret)).Result;
How to get scope of microsoft.graph resource?
Upvotes: 2
Views: 2645
Answers (1)
Reputation: 24529
If it is delegated permissions which are presented to the resource at run-time as "scp" claims in the client's access token.
But you are using Application permission, which specify role-based access using the client application's credentials/identity, are presented to the resource at run-time as "roles" claims in the client's access token.
"Delegated" permissions, which specify scope-based access using delegated authorization from the signed-in resource owner, are presented to the resource at run-time as "scp" claims in the client's access token.
Application permissions, which specify role-based access using the client application's credentials/identity, are presented to the resource at run-time as "roles" claims in the client's access token.
How to get scope of microsoft.graph resource?
We could get the answer from this link.
Permission requests are configured on the "Applications" / "Settings" tab in the Azure portal, under "Required Permissions", by selecting the desired "Delegated Permissions" and "Application Permissions" (the latter requires membership in the Global Admin role). Because a public client can't securely maintain credentials, it can only request delegated permissions, while a confidential client has the ability to request both delegated and application permissions. The client's application object stores the declared permissions in its requiredResourceAccess property.
Upvotes: 5
Related Questions
- Microsoft graph return "access token is empty"
- Access Token missing or malformed when calling Graph API
- Access token not containing SCP (roles) claims via Microsoft Graph
- Scope "scp" missing when Requesting a token in Azure AD B2C
- Unable to get access token from Azure AD when using Microsoft Graph Explorer
- Accessing MS Graph API with directly obtained token issue
- Microsoft Graph Api token invalid or not authorized?
- Azure AD: Unable to issue tokens from this api version
- Access token issue while accessing the graph API
- invalid grant when trying to get token for azure AD graph api