Azure Entra Id OAuth2 can't seem to get past Invalid scope error. How should i send in the scopes?

Question

I'm trying to get OAuth access for Azure DevOps to access my workitems. I think I have most of the beginings in place, i have a app registered in Entra Id and i have set up the API permissions like this

From my app I get redirected to a Microsoft login page. The scope part of the url looks like scope=https%3A%2F%2Fapp.vssps.visualstudio.com%2F.work (scope=https://app.vssps.visualstudio.com/.work without url formatting).

I login and get redirected back to my callback url but in the URLParams i get this error=invalid_scope&error_description=The%20provided%20value%20for%20the%20input%20parameter%20%27scope%27%20is%20not%20valid.%20The%20scope%20%27https://app.vssps.visualstudio.com/.work%27%20does%20not%20exist.

error: invalid_scope

error_description:

The provided value for the input parameter 'scope' is not valid. 
The scope 'https://app.vssps.visualstudio.com/.work' does not exist.

I'm not sure why i get this error, I can't really find info on what scopes should exist and everything i find points towards https://app.vssps.visualstudio.com/.work being correct.

How to resolve it?

I have tried multiple different scopes for Azure Devops, i have tried formatting the scope in several ways and somewhere there was a reference to a GUID formated scope 499b84ac-1321-427f-aa17-267ca6975798/.default but nothing has given me anything else than the mentioned error message.

I have also tried with and without URI Encoding.

Answer 1

As per the description, you are using Azure Entra Id OAuth2 and created the app registration.

Since you need to access DevOps work item with the app registration, you can:

1. Grant API Permissions as below:

2. Add https://jwt.ms as Redirect URI.

3. create secret token for the app, copy the value for latter steps.

4. Grant admin consent for the permissions. If you don't have permission, you can ask tenant admin to grant the permission. If you cannot grant admin consent, please still go to next step.

5. replace tenantID, appID with yours, make below authorization request to get code value via web browser:

https://login.microsoftonline.com/<tenantID>/oauth2/v2.0/authorize
?client_id=<appID>
&response_type=code
&redirect_uri=https://jwt.ms
&response_mode=query
&scope= 499b84ac-1321-427f-aa17-267ca6975798/.default
&state=12345

It will require you to login, if you didn't grant admin consent in step 4, it will pop a window, click Accept to proceed. Then you will get the code below:

6.Then you can generate the access token using code above:

POST https://login.microsoftonline.com/<tenantID>/oauth2/v2.0/token
grant_type:authorization_code
client_id: <appID>
client_secret: <secret>
scope:499b84ac-1321-427f-aa17-267ca6975798/.default
code: <paste_code_from_above_request>
redirect_uri: https://jwt.ms

The access token can used with rest api to access devops work items:

Achieved in below rest api Wiql - Query By Wiql to get the list:

$access_token = "the value above"
$auth = "Bearer " + $access_token

# Define the URI for the REST API call to get work item IDs
$uri = "https://dev.azure.com/{orgname}/{projectname}/{teamid}/_apis/wit/wiql?api-version=6.0"

# Define the WIQL query to get all work items
$wiql = @{
    query = "Select [System.Id], [System.Title] From WorkItems WHERE [System.TeamProject] = @project"
} | ConvertTo-Json

# Make the REST API call to get work item 
$response = Invoke-RestMethod -Uri $uri -Method Post -Headers @{ 'Authorization' = $auth } -Body $wiql -ContentType "application/json"

$response.workItems | ConvertTo-Json