Microsoft Entra Verifiable Credentials Admin API - Issuing Client Credentials Issue

Question

I'm trying to connect to the Entra Verifiable Credentials Admin API based on the documentation found here: https://learn.microsoft.com/en-us/azure/active-directory/verifiable-credentials/admin-api, however I can't seem to issue client credentials that are able to call the Admin API endpoints.

I'm creating an access token like so:

GET https://login.microsoftonline.com/<tenant_id>/oauth2/token?<query_params>

Query Params:
client_id=<client_id>
client_secret=<client_secret>
scope=6a8b4b39-c021-437c-b060-5a14a3fd65f3/full_access
grant_type=client_credentials

The scope in the above call was found here: https://learn.microsoft.com/en-us/azure/active-directory/verifiable-credentials/admin-api Calling the endpoint https://verifiedid.did.msidentity.com/v1.0/verifiableCredentials/authorities with the token returned from above returns the response:

"error": {
    "code": "token_validation.audience_invalid",
    "message": "The token does not contain the expected audience '0135fd85-3010-4e73-a038-12560d2b58a9,6a8b4b39-c021-437c-b060-5a14a3fd65f3'."
}

I also tried creating an access token using the MSAL library in .NET like this:

var app = ConfidentialClientApplicationBuilder.Create("<client_id>")
       .WithClientSecret("<client_secret>")
       .WithAuthority(new Uri("https://login.microsoftonline.com/<tenant_id>"))
       .Build();

var result = await app.AcquireTokenForClient(new string[] { "6a8b4b39-c021-437c-b060-5a14a3fd65f3/.default"}).ExecuteAsync();

Console.WriteLine("Access Token: {0}", result.AccessToken);

The MSAL library throws an error if the scope doesn't end with /.default, so I switched what the Verifiable Credentials Admin API suggests to 6a8b4b39-c021-437c-b060-5a14a3fd65f3/.default. Using the credentials output by the MSAL library to call the Admin API returns this error:

"error": {
    "code": "Unauthorized",
    "message": "Provided access token contains no wids.",
    "innererror": {
        "code": "token_validation.invalid_aad_access_token",
        "message": "Provided access token contains no wids."
    }
}

The Application Registration has the Verifiable Credentials Service Admin.full_access permission assigned and has been granted admin consent. I'm not sure what I'm doing wrong or what I need to change to get an access token that's able to call the Verifiable Credentials Admin API.

Answer 1

I tried to reproduce the same in my environment and got below results:

I have one Azure AD application and added API permissions as below:

Now I generated access token with same parameters as you like below:

POST https://login.microsoftonline.com/<tenantID>/oauth2/token

client_id:client_id
client_secret:client_secret
scope:6a8b4b39-c021-437c-b060-5a14a3fd65f3/full_access
grant_type:client_credentials

Response:

When I used the above token to call authorities, I'm getting same error as below:

GET https://verifiedid.did.msidentity.com/v1.0/verifiableCredentials/authorities

Response:

Now, I used v2.0 token endpoint with /.default scope to generate the token like below:

POST https://login.microsoftonline.com/<tenantID>/oauth2/v2.0/token

client_id:client_id
client_secret:client_secret
scope:6a8b4b39-c021-437c-b060-5a14a3fd65f3/.default
grant_type:client_credentials

Response:

When I used this token to call authorities, I got same error as below:

Note that, Client credentials flow works with only Application type permissions.

If your granted permission is of Delegated type, you need to use interactive flow like Authorization code, etc.... to get token.

To resolve the error, I generated token using authorization code flow with below parameters:

POST https://login.microsoftonline.com/<tenantID>/oauth2/v2.0/token

client_id:client_id
grant_type:authorization_code
client_secret:client_secret
scope:6a8b4b39-c021-437c-b060-5a14a3fd65f3/.default
code:code
redirect_uri:https://jwt.ms

Response:

When I used this token to call authorities, I got response with Status: 200 OK as below:

As I don't have any authorities, I got value as blank. You can try the same in your environment by generating token using Authorization code flow.