1

I have an angular application and an DotNet core web api application. The web api exposes 2 permissions. The angular has susbscribed to those permissions (see screenshot).

enter image description here

In the code, I tried this

export const loginRequest: { scopes: string[] } = { //scopes: ['user.read', 'openid', 'profile'], //--> I commented out this line. scopes: [] }; export const tokenRequest: { scopes: string[] } = { scopes: ['api://da8b9450-d9b7-4b7f-9667-fdae9a7c8359/API.Access', 'api://da8b9450-d9b7-4b7f-9667-fdae9a7c8359/API.Write'] }; consentScopes: [ ...loginRequest.scopes, ...tokenRequest.scopes, ],

The access token contain the scopes I didn't ask for, but it is not returning what I asked.

enter image description here

How do I get the 2 scopes I've requested?

Thanks for helping

EDIT 1

Here's the configuration

auth: { clientId: '78803184-e866-4966-b372-d98b4feae898', authority: "https://login.microsoftonline.com/{tenantId}/", validateAuthority: true, redirectUri: "http://localhost:4200/", postLogoutRedirectUri: "http://localhost:4200/", navigateToLoginRequestUrl: true, }

EDIT 2

This is are the requested scopes now. I've removed all the related graph, such as user.read, openid, and profile.

{ popUp: !isIE, consentScopes: [ "api://da8b9450-d9b7-4b7f-9667-fdae9a7c8359/API.Access", "api://da8b9450-d9b7-4b7f-9667-fdae9a7c8359/API.Write" ], unprotectedResources: ["https://localhost:5001"], protectedResourceMap, extraQueryParameters: {} }

I'm still receive the same scopes, i.e. even after the client to the list of clients for the API.

However, I looked at the request being sent to AZURE AD. This is how it looks like. According to this request, I'm still requesting user.read, openid, and profile although I removed them from the list of requested scopes.

Request URL: https://login.microsoftonline.com/313200b5-a917-47d1-2233-149b07d5d7b5/oauth2/v2.0/authorize? response_type=token&scope=user.read openid profile&client_id=78803184-e866-54e3-b200-d98b4feae898 &redirect_uri=http://localhost:4200/ &state=eyJpZCI6IjMwZDJkOGNkLTM2NWUtNGMwOS1iYWY1LTcyZWYyMTU0YWE5ZSIs InRzIjoxNjExNTUwMDUxLCJtZXRob2QiOiJzaWxlbnRJbnRlcmFjdGlvbiJ9 &nonce=6f25b4e0-71f7-4cde-abf4-cb5545d2507e &client_info=1&x-client-SKU=MSAL.JS&x-client-Ver=1.4.4 &[email protected] &client-request-id=a68ef0b3-111b-4b1c-a3e7-cdcb075516ca &prompt=none&response_mode=fragment

EDIT 3

I found this line of code

const GRAPH_ENDPOINT = 'https://graph.microsoft.com/v1.0/me'; getProfile() { this.http.get(GRAPH_ENDPOINT) .toPromise().then(profile => { this.profile = profile; }); }
Improve this question
1
  • This is normal. What you get is the ms graph api token, which only contains the scope of ms graph api. A token cannot contain the scope of two apis. If you need to get the scope of a custom api, you should get another token. Commented Jan 22, 2021 at 6:31

1 Answer 1

Reset to default
2

Move comment to answer:

Like I said in the comments, what you get is the ms graph api token, which only contains the scope of ms graph api. A token cannot contain the scope of two apis. If you need to get the scope of a custom api, you should get another token.

The access token is issued according to the api audience you want to access, and it is unique! A token can only have one audience, and you cannot use multiple scopes to request access tokens.

One sentence summary: You cannot make an access token contain API.Access API.Write User.Read scp claims at the same time, because these are the scope of two completely different APIs.

Improve this answer
Sign up to request clarification or add additional context in comments.

10 Comments

That's not obvious from the tutorial. in my example, the audience value is "aud": "00000003-0000-0000-c000-000000000000". and this is how I'm defining the authority authority: "https://login.microsoftonline.com/{tenantId}/". See update
@Richard77 audience "aud": "00000003-0000-0000-c000-000000000000" is actually ms graph api. I noticed that you request two tokens at the same time in the code, but it will only return you the first token in order , the ms graph token.
@Richard77 View the resource id of Microsoft Graph api: shawntabrizi.com/aad/…
is this the reason the request is being made to the graph? authority: "https://login.microsoftonline.com/{tenantId}/",? Please, pay attention to the login request array. It's empty as I commented out the line that contains ['user.read', 'openid', 'profile'].
@Richard77 No, it has nothing to do with your request url. It is related to your scope.
|

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.