1

I'm trying to build a WebAPI and want to use a scope to limit permissions for other clients applications. I created a scope "BuildingAccess" on the Expose an API blade, and added the other client application to the authorized list with that scope. However when I use a client program to try and get the token with that scope I get the "AADSTS70011: The provided request must include a 'scope' input parameter. The provided value for the input parameter 'scope' is not valid." error

 IConfidentialClientApplication app = ConfidentialClientApplicationBuilder.Create("removed")
            .WithTenantId("removed")
            .WithClientSecret(ClientSecret)
            .Build();

        List<string> scopes = new List<string>();
        scopes.Add(".default");
        scopes.Add("https://localhost:44371/BuildingAccess");

        AuthenticationResult result = null;
        try
        {
            result = await app.AcquireTokenForClient(scopes).ExecuteAsync();
            Console.ForegroundColor = ConsoleColor.Green;
            Console.WriteLine("Token acquired \n");
            Console.ResetColor();
        }
        catch (MsalServiceException ex)
        when (ex.Message.Contains("AADSTS70011"))
        {
            // Invalid scope. The scope has to be of the form "https://resourceurl/.default"
            // Mitigation: change the scope to be as expected
            Console.ForegroundColor = ConsoleColor.Red;
            Console.WriteLine("Scope provided is not supported");
            Console.ResetColor();
        }

The only format that seems to work is when the scope is set to https://localhost:44371/.default. All the other combinations below where I add the BuildingAccess scope fail with the error below for the different formats I've tried.

  • The scope api://333333-2222-1111-0000-aaaaaaaaaaaaa/BuildingAccess https://localhost:44371/.default is not valid.
  • The scope api://333333-2222-1111-0000-aaaaaaaaaaaaa/.default api://333333-2222-1111-0000-aaaaaaaaaaaaa/BuildingAccess is not valid.
  • The scope .default BuildingAccess is not valid.
  • The scope BuildingAccess is not valid.
  • The scope api://333333-2222-1111-0000-aaaaaaaaaaaaa/BuildingAccess
  • The scope https://localhost:44371/BuildingAccess is not valid.

If the one that works the https://localhost:44371/.default, then my server side has an error because it failed with

Exception thrown: 'Microsoft.IdentityModel.Tokens.SecurityTokenInvalidAudienceException' in Microsoft.IdentityModel.Tokens.dll

and I get an Unauthorized response on the client.

dxk3355
  • 146
  • 1
  • 2
  • 12

2 Answers2

2

1.You should enter the correct format range, make sure to use the following format:api://{Your-Application-ID}/your_scope_name.

2.Then you should grant permissions to the API and select the administrator to agree. enter image description here

Carl Zhao
  • 8,543
  • 2
  • 11
  • 19
  • Well for point 1. I've tried all the combinations without success, which was the bottom of my post. For 2. I wonder if my issue is I cannot Grant admin consent for my organization. That seems to be a restricted privilege. I thought I got around it by adding the client application as a "Authorized client applications" in my appregistration and giving them the BuildingAccess scope when doing that. – dxk3355 Apr 23 '20 at 12:44
  • Okay I confirmed the issue with another developer. The issue is that Admin Consent is a restricted permission and I need that in order for this to work. – dxk3355 Apr 23 '20 at 20:12
-1

The issue is I need to have Admin Consent for app to app permissions to work. This is a restricted action on the Azure tenant I'm on so I couldn't do that.

dxk3355
  • 146
  • 1
  • 2
  • 12