Reputation: 101
The provided value for the input parameter 'scope' is not valid when calling Access Token API
Hello I am getting the below error.
AADSTS70011: The provided value for the input parameter 'scope' is not valid. The scope 'user.read%20mail.read' does not exist.\r\nTrace ID: 5c5ced96-67a8-4c02-8b24-755e69b07f00\r\nCorrelation ID: 36d8e66d-fbf8-454d-95d6-0a0ad5f70836\r\nTimestamp: 2022-10-06 11:46:44Z
I am calling Auth URL
I am successfully getting code on the redirect URl. But when I am calling the access token post url I am getting an error.
https://login.microsoftonline.com/common/oauth2/v2.0/token
Below is Token URL response
{ "error": "invalid_scope", "error_description": "AADSTS70011: The provided value for the input parameter 'scope' is not valid. The scope 'user.read%20mail.read' does not exist.\r\nTrace ID: 5c5ced96-67a8-4c02-8b24-755e69b07f00\r\nCorrelation ID: 36d8e66d-fbf8-454d-95d6-0a0ad5f70836\r\nTimestamp: 2022-10-06 11:46:44Z", "error_codes": [ 70011 ], "timestamp": "2022-10-06 11:46:44Z", "trace_id": "5c5ced96-67a8-4c02-8b24-755e69b07f00", "correlation_id": "36d8e66d-fbf8-454d-95d6-0a0ad5f70836" }
I added below permissions in my Azure account.
Can you please help, what I am doing wrong. The postman is working fine, I have to implement on c#.
Upvotes: 0
Views: 2475
Answers (1)
Reputation: 16109
I tried to reproduce the same in my environment and got the results successfully like below:
I created an Azure AD Multi-Tenant Application and granted the API permissions:
I generated the code successfully with the below endpoint:
https://login.microsoftonline.com/common/oauth2/v2.0/authorize?
&client_id=client_id
&response_type=code
&redirect_uri=redirect_url
&response_mode=query
&scope=user.read mail.read
&state=12345
To generate the access token via Postman, please make use of below parameters:
https://login.microsoftonline.com/common/oauth2/v2.0/token
client_id:client_id
redirect_uri:redirect_url
grant_type:authorization_code
scope:user.read mail.read
code:code
client_secret:******
To resolve the error AADSTS70011, try replacing the scope parameter as user.read mail.read.
I am able to generate access token successfully like below:
To generate the access token via Authorization_Code flow using c#, please make use of the below sample code:
AcquireTokenByAuthorizationCode(
IEnumerable<string> scopes,
string authorizationCode)
services.AddAuthentication(AzureADDefaults.AuthenticationScheme)
.AddAzureAD(options => configuration.Bind("AzureAd", options));
For complete code, please refer this GitHub Blog.
Upvotes: 1
Related Questions
- Scope is not being added to Access Token returned from Azure Ad
- AdalSilentTokenAcquisitionException when trying to acquire the token in c#
- An error occurred while requesting the token with "Expose an API” scope. AADSTS70011:The provided value for the input parameter 'scope' is not valid
- how to pass scope in api while generating token for azure AD
- How to request access token with scope in azure ad (customer API)
- Azure AD authentication : Permission error while fetching access token
- How to request an Azure bearer token properly or why does it ask me to send a "scope" parameter?
- Azure AD authentication token fails web api authorization
- Authorization_RequestDenied when i have access token code
- Azure AD Access Token - Authorization Code is malformed or invalid