AAD: Requesting scope "openid email" always results in access_denied

Question

I am using OpenID Connect and I need to request user email. I have created and AAD app and enabled all possible scopes/permissions (just for testing).

However, whenever I request the scopes "openid email" and the user gives the consent, I always get an access_denied error. Could anyone shed some light on why this is happening?

My request:

https://login.microsoftonline.com/common/oauth2/v2.0/authorize
?client_id=2c4a8f6b-0cde-4134-aaa5-dc6552704576
&scope=openid%20email
&response_type=code
&redirect_uri=https<myuri>
&state=<mystate>

When the user gives the consent, I get the following response with code 302:

https:<my callback uri>?code=<VALID code is here>

However, there redirect location is

https://<my uri>/callback?error=access_denied

Since you get the authorization code ,which operation make you get the "access_denied" response and what is the error_description ? — Nan Yu, Apr 26 '17 at 07:14
@NanYu-MSFT I have debugged Microsoft.Owin.Security.MicrosoftAccount. When it makes a request to https://login.microsoftonline.com/common/oauth2/v2.0/token, I do not get back access_token. So the code just crashes and that calls back with generic access_denied error without a description. I do get id_token, refresh_token (if offline_access is specified), but not access_token... — dennis, Apr 26 '17 at 15:58

score 0 · Accepted Answer · answered Apr 26 '17 at 16:07

0

This is a bug in Microsoft.Owin.Security.MicrosoftAccount, see here for more details: https://github.com/aspnet/AspNetKatana/issues/48

answered Apr 26 '17 at 16:07

dennis

562
6
21

Ok , seems 4.0 preview version will fix the bug :) – Nan Yu Apr 27 '17 at 01:28

AAD: Requesting scope "openid email" always results in access_denied

1 Answers1