AADSTS700023: The provided value for the input parameter scope 'openid profile' is not valid when requesting an access token. Please specify a valid scope.

[mathlesp]

We are using MSAL for JS v0.1.1 2017-05-09 to secure our SPA application and its backend APIs. We are authenticating against Azure AD. We are using the implicit flow. The registered the application with the new portal (https://apps.dev.microsoft.com).

Because we only call our backend API and not the Microsoft Graph, we only pass the Client Id as the scopes for loginPopup, acquireTokenSilent and acquireTokenPopup. loginPopup and acquireTokenSilent are working well until our token expires and we need to call acquireTokenPopup.

When we call acquireTokenPopup, using only the Client Id as the scopes, we see the following error on in the popup window: "AADSTS700023: The provided value for the input parameter scope 'openid profile' is not valid when requesting an access token. Please specify a valid scope."

The url that is generated by "authenticationRequest.createNavigateUrl" when calling loginPopup is as follow:
"https://login.microsoftonline.com/{tenantId]/oauth2/v2.0/authorize?response_type=id_token&scope=openid%20profile&client_id={clientId}&redirect_uri=[...]".

However, when calling acquireTokenPopup, "authenticationRequest.createNavigateUrl" will generate:
"https://login.microsoftonline.com/{tenantId]/oauth2/v2.0/authorize?response_type=token&scope=openid%20profile&client_id={clientId}&redirect_uri=[...]".

The problem is that "scope=openid%20profile" is not valid when "response_type=token".

Not sure if we are doing something wrong or if this is a bug in the MSAL for JS library.

To reproduce:

• Go to https://apps.dev.microsoft.com and register an application with a Web platform;
• Add "http://localhost:5000/index.html" as the redirect url of the Web platform;
• Download sample app in attachment MSAL_acquireTokenPopup_Issue.zip;
• Configure app by editing line 11 in index.html ("var client_id = "your_client_id_here";")
• Launch the app without IIS Express (to be sure it is using port 5000, select "MSAL_acquireTokenPopup_Issue" in the launch dorpdown);
• Click "1. Login" and login;
• Click "2. Get Token" and wait for token to be displayed;
• Click "3. Force acquireTokenPopup on next "Get Token"" to clear session storage. This will force acquireTokenPopup to be called later;
• Click "4. Get Token again". If you get an error, make sure popup are not blocked and try again;
• In the popup window, select the account to login if asked;
• View the "Sorry, but we’re having trouble signing you in." error. (AADSTS700023: The provided value for the input parameter scope 'openid profile' is not valid when requesting an access token. Please specify a valid scope.)

Could anyone confirm is this is a bug or if this is a misunderstanding on our part?

Thanks

[rohitnarula7176]

@mathlesp There was a bug in the library related to the renewal of id_token. It is now fixed in dev branch. Can you please use the dev branch and see if it resolves your issue. We will be releasing a new version with this fix this week.

[mathlesp]

Yes, the issue is indeed fixed in the dev branch. Thanks