Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

acquireTokenRedirect Fails with error AADSTS700023 (invalid openid and profile scopes) #333

Closed
PoyaManouchehri opened this issue Jun 20, 2018 · 3 comments
Closed

acquireTokenRedirect Fails with error AADSTS700023 (invalid openid and profile scopes) #333

PoyaManouchehri opened this issue Jun 20, 2018 · 3 comments
Assignees
@nehaagrawal
Labels
bug A problem that needs to be fixed for the feature to function as intended.

Comments

@PoyaManouchehri
Copy link

PoyaManouchehri commented Jun 20, 2018
edited
Loading

Hello, I'm running into a problem that seems very much the same as #135 . In short:

  1. We have an app registered in AAD. The oauth2AllowImplicitFlow setting in the manifest is set to true.
  2. We use the AppId as the "Audience" when configuring the bearer token middleware in our API.
  3. The client (using MSAL.js) we first call .login with the scope set to AppId. This successfully gets us an id token.
  4. Subsequently, at a later point we call acquireTokenRedirect() again passing the AppId as the only scope. This generates an authorize?response_type=token, however requests openid and profile scopes which are apparently incompatible with the access token response type.
  5. We get this error on screen:
    AADSTS700023: The provided value for the input parameter scope 'openid profile' is not valid when requesting an access token. Please specify a valid scope.

Any help would be really appreciated. #135 seems to indicate there was a fix related to the issue at some point but I'm still seeing it in version 0.1.7.

Thanks
@danieldobalian
Copy link
Contributor

@PoyaManouchehri why do you want to get an access token? Are you trying to authorize the user to call an API on their behalf?

The scopes openid and profile do not map to any resource (they're used for pure sign in a.k.a OpenID Connect), so the token service doesn't know what audience to mint the access token for. If you need an access token for the Microsoft Graph for example, you would add the scope User.Read.

This doc has more info.

@PoyaManouchehri
Copy link
Author

@danieldobalian thanks for your response. A couple of notes:

  1. I secure my own API (an ASP.NET Core based API). My understanding of OAuth/OpenID is that I should be using access tokens for accessing an API rather than the ID token which should be used in my client (in this case an Angular 5 SPA). I use the AddJwtBearer middleware in my backend and set the Audience to be my AppID.

  2. I understand that openid and profile are not resources, which is why it surprises me that the acquireTokenRedirect call is including them in the scopes, when I just specify the scope to be the AppID.

@nehaagrawal nehaagrawal self-assigned this Jul 10, 2018
@rohitnarula7176 rohitnarula7176 added the bug A problem that needs to be fixed for the feature to function as intended. label Jul 13, 2018
@rohitnarula7176 rohitnarula7176 mentioned this issue Jul 14, 2018
Merged
@rohitnarula7176
Copy link
Contributor

@PoyaManouchehri The issue is now fixed in the dev branch and will be part of our next release. Closing this issue for now. Please test with the dev branch and confirm if it is resolved for you.

@github-actions github-actions bot locked as resolved and limited conversation to collaborators Sep 5, 2020
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees

@nehaagrawal nehaagrawal

Labels
bug A problem that needs to be fixed for the feature to function as intended.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@PoyaManouchehri @nehaagrawal @danieldobalian @rohitnarula7176