Reputation: 25
AzureADB2C GetAccessTokenForUserAsync Error "The scope 'user.read' provided in the request is not supported"
I'm attempting create a Blazor Application that integrates with the Microsoft Graph API (specifically OneDrive) and uses Azure AD B2C for authentication.
I'm using Microsoft.Identity.Web 0.3.1-preview
The Setup.cs is as follows:
public void ConfigureServices(IServiceCollection services)
{
// Configuration to sign-in users with Azure AD B2C
services.AddMicrosoftIdentityWebAppAuthentication(Configuration, "AzureAdB2C")
.EnableTokenAcquisitionToCallDownstreamApi(new string[] { "https://graph.microsoft.com/.default" })
.AddMicrosoftGraph("https://graph.microsoft.com/beta")
.AddInMemoryTokenCaches();
...
The Service then uses ITokenAcquisition to request a token as follows:
public MyService(ITokenAcquisition tokenAcquisition, IOptions<WebOptions> webOptionValue,
AuthenticationStateProvider AuthenticationStateProvider)
{
string result = await tokenAcquisition.GetAccessTokenForUserAsync(new string[] { "user.read" });
I'm authenticating using a Microsoft linked account and can see the live.com claim in the AuthenticationStateProvider.
Passing in the basic user.read to GetAccessTokenForUserAsync results in an exception " The scope 'user.read' provided in the request is not supported". I've tried specifying the scope as https://graph.microsoft.com/user.read however this just returns null.
Any suggestions would be greatly appreciated.
Upvotes: 1
Views: 1480
Answers (1)
Reputation: 14724
Tokens that are issued by Azure AD B2C are intended for use by an Azure AD B2C-registered client with an Azure AD B2C-registered resource.
Microsoft Graph API is not an Azure AD B2C-registered resource so the https://graph.microsoft.com/ scopes aren't supported.
Alternatively, you might consider passing the access token as the idp_access_token claim through, from the Microsoft identity provider to your Azure AD B2C-registered client.
A custom policy is needed for the Microsoft identity provider to pass this through.
Upvotes: 1
Related Questions
- Authentication response received without expected accessToken
- AzureB2C Identity Provider Login Failed : AADB2C99002: User does not exist
- AADB2C90077: User does not have an existing session and request prompt parameter has a value of 'None'
- Authentication failed: com.microsoft.identity.client.exception.MsalArgumentException: scopes cannot be null or empty
- Blazor Web Assembly, OIDC and Azure AD B2C failed to handle token
- Azure AD B2C: The scope 'user.read' provided in the request is not supported
- Accessing user token when using AzureAdB2C with Microsoft.Identity.Web
- Azure B2C - PublicClientApplicatcion.AcquireTokenByUsernamePasswordAsync fails
- Exception access Azure AD B2C using ADAL library for user management
- Getting users from Azure AD B2C: not supported for this API version