Reputation: 1215
Java Graph API scopes issue
I am very new with Microsoft Graph API and try to play around with it using the Java SDK by following the tutorials on https://github.com/microsoftgraph/msgraph-sdk-java and https://learn.microsoft.com/en-us/graph/tutorials/java with the following code:
String clientId = "clientId";
String clientSecret ="secret";
String tenantId = "tenantId";
String authTenant= "common";
List<String> scopes= Arrays.asList("openid","offline_access");
final ClientSecretCredential clientSecretCredential = new ClientSecretCredentialBuilder()
.clientId(clientId)
.clientSecret(clientSecret)
.tenantId(tenantId)
.build();
final TokenCredentialAuthProvider tokenCredentialAuthProvider = new TokenCredentialAuthProvider(scopes, clientSecretCredential);
GraphServiceClient<Request> graphClient =
GraphServiceClient
.builder()
.authenticationProvider(tokenCredentialAuthProvider)
.buildClient();
User me = graphClient.me().buildRequest().get();
System.out.println(me);
However, when I tried to run it, it actually prints the following
Caused by: java.io.IOException: java.util.concurrent.ExecutionException: com.microsoft.aad.msal4j.MsalServiceException: AADSTS1002012: The provided value for scope openid profile offline_access openid offline_access is not valid. Client credential flows must have a scope value with /.default suffixed to the resource identifier (application ID URI).
What would be the correct scope for running this? Is there any documentation regarding the scope?
Upvotes: 0
Views: 2099
Answers (1)
Reputation: 10831
client_credentials, is where the app makes service-to-service calls or using application-only permissions.
- So here, there is no user interaction or interface. In that case, there is no concept of dynamic consent, as the application must statically configure the permissions that it needs .
- You have to add the desired permissions (in this case, email ,offline_access, open_id) in the API permissions section of your app registration in the Azure portal, AND Using the client credentials flow an admin has to be granted consent.
use a scope in the app, format similar to
{Application ID URI}/.defaultwhich indicates that the requested scopes are the ones that are statically defined in the app object set in the Azure
portal.
- For example ,for the Microsoft Graph scope to work, it should be
https://graph.microsoft.com/.defaultIt tells the Microsoft identity platform that of all the direct application permissions you have configured for your app, the endpoint should issue a token for the ones associated with the resource you want to use.so that the endpoint should issue a token for the ones associated with the resource you want to use.
See OAuth 2.0 client credentials flow
I reproduced the scenario in my environment with postman with similar scopes as you gave and got the similar error.
then changed the scope to https://graph.microsoft.com/.default and got the token successfully.
References:
- azure - How to get access token without sign-up or sign-in to web app? - Stack Overflow
- Just what is the /.default scope in the Microsoft identity platform & Azure AD? - DEV Community
Upvotes: 2
Related Questions
- Scope Issue in Azure Graph Rest API Java
- Unable to list graph permissions granted to the application from Java
- How to set scope when call Microsoft Graph API?
- Forbidden error when calling Microsoft Graph from Java Application using Application ID
- scopes in azure AD different from scopes in application (Microsoft Graph Api)
- Microsoft Graph SDK for Java - InvalidAuthenticationToken error 80049217
- Java requests to Microsoft Graph API perform ok but return 500
- Missing scope in access token - code flow
- Microsoft Graph API , using ADAL4J
- Graph API in SSO is not working in Azure AD