Access token doesn't contain all the requested scopes

Question

I have an angular application and an DotNet core web api application. The web api exposes 2 permissions. The angular has susbscribed to those permissions (see screenshot).

In the code, I tried this

export const loginRequest: { scopes: string[] } = {
  //scopes: ['user.read', 'openid', 'profile'], //--> I commented out this line. 
  scopes: []
};

export const tokenRequest: { scopes: string[] } = {
  scopes: ['api://da8b9450-d9b7-4b7f-9667-fdae9a7c8359/API.Access',
           'api://da8b9450-d9b7-4b7f-9667-fdae9a7c8359/API.Write']
};

consentScopes: [
  ...loginRequest.scopes,
  ...tokenRequest.scopes,
],

The access token contain the scopes I didn't ask for, but it is not returning what I asked.

How do I get the 2 scopes I've requested?

Thanks for helping

EDIT 1

Here's the configuration

auth: {
  clientId: '78803184-e866-4966-b372-d98b4feae898',
  authority: "https://login.microsoftonline.com/{tenantId}/",
  validateAuthority: true,
  redirectUri: "http://localhost:4200/",
  postLogoutRedirectUri: "http://localhost:4200/",
  navigateToLoginRequestUrl: true,
}

EDIT 2

This is are the requested scopes now. I've removed all the related graph, such as user.read, openid, and profile.

{
  popUp: !isIE,
  consentScopes: [
    "api://da8b9450-d9b7-4b7f-9667-fdae9a7c8359/API.Access",
    "api://da8b9450-d9b7-4b7f-9667-fdae9a7c8359/API.Write"
  ],
  unprotectedResources: ["https://localhost:5001"],
  protectedResourceMap,
  extraQueryParameters: {}
}

I'm still receive the same scopes, i.e. even after the client to the list of clients for the API.

However, I looked at the request being sent to AZURE AD. This is how it looks like. According to this request, I'm still requesting user.read, openid, and profile although I removed them from the list of requested scopes.

Request URL: https://login.microsoftonline.com/313200b5-a917-47d1-2233-149b07d5d7b5/oauth2/v2.0/authorize?
response_type=token&scope=user.read openid profile&client_id=78803184-e866-54e3-b200-d98b4feae898
&redirect_uri=http://localhost:4200/
&state=eyJpZCI6IjMwZDJkOGNkLTM2NWUtNGMwOS1iYWY1LTcyZWYyMTU0YWE5ZSIs
InRzIjoxNjExNTUwMDUxLCJtZXRob2QiOiJzaWxlbnRJbnRlcmFjdGlvbiJ9
&nonce=6f25b4e0-71f7-4cde-abf4-cb5545d2507e
&client_info=1&x-client-SKU=MSAL.JS&x-client-Ver=1.4.4
&login_hint=admin@myemail.com
&client-request-id=a68ef0b3-111b-4b1c-a3e7-cdcb075516ca
&prompt=none&response_mode=fragment

EDIT 3

I found this line of code

const GRAPH_ENDPOINT = 'https://graph.microsoft.com/v1.0/me';

getProfile() {
   this.http.get(GRAPH_ENDPOINT)
      .toPromise().then(profile => {
          this.profile = profile;
      });
 }

This is normal. What you get is the ms graph api token, which only contains the scope of ms graph api. A token cannot contain the scope of two apis. If you need to get the scope of a custom api, you should get another token. — Carl Zhao, Jan 22 '21 at 06:31

score 1 · Answer 1 · answered Jan 22 '21 at 09:47

1

Move comment to answer:

Like I said in the comments， what you get is the ms graph api token, which only contains the scope of ms graph api. A token cannot contain the scope of two apis. If you need to get the scope of a custom api, you should get another token.

The access token is issued according to the api audience you want to access, and it is unique! A token can only have one audience, and you cannot use multiple scopes to request access tokens.

One sentence summary: You cannot make an access token contain API.Access API.Write User.Read scp claims at the same time, because these are the scope of two completely different APIs.

answered Jan 22 '21 at 09:47

Carl Zhao

8,543
2
11
19

That's not obvious from the tutorial. in my example, the audience value is `"aud": "00000003-0000-0000-c000-000000000000"`. and this is how I'm defining the authority `authority: "https://login.microsoftonline.com/{tenantId}/"`. See update – Richard77 Jan 22 '21 at 18:42
@Richard77 audience `"aud": "00000003-0000-0000-c000-000000000000"` is actually ms graph api. I noticed that you request two tokens at the same time in the code, but it will only return you the first token in order , the ms graph token. – Carl Zhao Jan 25 '21 at 01:59
@Richard77 View the resource id of Microsoft Graph api: https://www.shawntabrizi.com/aad/common-microsoft-resources-azure-active-directory/ – Carl Zhao Jan 25 '21 at 02:10
is this the reason the request is being made to the graph? `authority: "https://login.microsoftonline.com/{tenantId}/",`? Please, pay attention to the login request array. It's empty as I commented out the line that contains `['user.read', 'openid', 'profile']`. – Richard77 Jan 25 '21 at 02:12
@Richard77 No, it has nothing to do with your request url. It is related to your `scope`. – Carl Zhao Jan 25 '21 at 02:17
again, I've removed the line containing `['user.read', 'openid', 'profile']`. At the end, the only scopes that I'm requesting are `api://da8b9450-d9b7-4b7f-9667-fdae9a7c8359/API.Access` and `api://da8b9450-d9b7-4b7f-9667-fdae9a7c8359/API.Write`. Is that what you're referring to? – Richard77 Jan 25 '21 at 02:48
@Richard77 Yes, you should ensure that your token audience is: `"aud": "api://da8b9450-d9b7-4b7f-9667-fdae9a7c8359"`. – Carl Zhao Jan 25 '21 at 03:06
@Richard77 You can refer to my previous answer: https://stackoverflow.com/questions/65800504/is-there-a-way-to-authorize-net-core-3-0-apis-with-jwt-and-also-azure-ad-tokens/65806927#65806927 – Carl Zhao Jan 25 '21 at 03:11
thank you for the link. I applied what you said there. However, I think the problem is still in my code. Please take a look at the latest edit. I provided the request being sent to Azure AD. According to it, I'm still requesting `['user.read', 'openid', 'profile']`. Why is that? – Richard77 Jan 25 '21 at 05:27
Please take a look at the last edit. Can I safely deduct that the reason for getting those unwanted scopes? `const GRAPH_ENDPOINT = 'https://graph.microsoft.com/v1.0/me';`? – Richard77 Jan 25 '21 at 05:36

Access token doesn't contain all the requested scopes

EDIT 1

EDIT 2

EDIT 3

1 Answers1

Linked