Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

microsoft/auth-callback Scope Warning for v2.0

See original GitHub issue

Django Microsoft Authentication Backend version: 2.0.0
Python version: 3.7.3
Operating System: Win 10 Pro
Browser and version you are testing in: Chrome v73.0.3683.103
What browser plugins do you have installed that may interfere with cookies or Javascript:

Description

Configured backend to authenticate to my single-tenant API on AAD, and upon reaching microsoft/auth-callback, receive long Scope warning in a popup:

Scope has changed from “profile openid email” to “DeviceManagementManagedDevices.PrivilegedOperations.All Calendars.ReadWrite.Shared User.Read.All Sites.FullControl.All MailboxSettings.ReadWrite EAS.AccessAsUser.All Policy.Read.All AccessReview.ReadWrite.All EduRoster.ReadWrite ProgramControl.ReadWrite.All Subscription.Read.All Files.ReadWrite.All Directory.ReadWrite.All DeviceManagementApps.ReadWrite.All Directory.Read.All Contacts.Read DeviceManagementManagedDevices.ReadWrite.All Mail.ReadWrite.Shared PrivilegedAccess.ReadWrite.AzureResources MailboxSettings.Read Calendars.ReadWrite Mail.ReadWrite Bookings.Manage.All identityriskyuser.read.all Policy.ReadWrite.ConditionalAccess Notes.Read DeviceManagementConfiguration.Read.All User.ReadWrite Agreement.Read.All Files.Read.All EduRoster.Read Files.ReadWrite.AppFolder Reports.Read.All Device.Read Tasks.Read Contacts.Read.Shared Notes.ReadWrite.All EduAssignments.Read Notes.Read.All IdentityProvider.Read.All AppCatalog.ReadWrite.All Calendars.Read.Shared EduAdministration.ReadWrite User.Read AccessReview.Read.All AuditLog.Read.All Bookings.Read.All BookingsAppointment.ReadWrite.All DeviceManagementConfiguration.ReadWrite.All EduAdministration.Read ProgramControl.Read.All Financials.ReadWrite.All User.Invite.All openid Device.Command Contacts.ReadWrite.Shared Directory.AccessAsUser.All People.Read People.Read.All Mail.Send EduRoster.ReadBasic DeviceManagementServiceConfig.ReadWrite.All Files.ReadWrite.Selected Notes.ReadWrite EduAssignments.ReadWriteBasic PrivilegedAccess.ReadWrite.AzureAD User.Export.All Tasks.ReadWrite.Shared DeviceManagementRBAC.ReadWrite.All Notes.Create Tasks.Read.Shared DeviceManagementRBAC.Read.All Sites.Read.All Agreement.ReadWrite.All SecurityEvents.Read.All profile Mail.Send.Shared Mail.Read.Shared User.ReadWrite.All Notes.ReadWrite.CreatedByApp AgreementAcceptance.Read.All Calendars.Read DeviceManagementApps.Read.All Files.Read Sites.ReadWrite.All DeviceManagementServiceConfig.Read.All Group.Read.All Bookings.ReadWrite.All Sites.Manage.All Member.Read.Hidden User.ReadBasic.All email EduAssignments.ReadWrite Files.Read.Selected Files.ReadWrite UserTimelineActivity.Write.CreatedByApp IdentityProvider.ReadWrite.All AgreementAcceptance.Read Tasks.ReadWrite Mail.Read Contacts.ReadWrite EduAssignments.ReadBasic Group.ReadWrite.All Notifications.ReadWrite.CreatedByApp IdentityRiskEvent.Read.All DeviceManagementManagedDevices.Read.All SecurityEvents.ReadWrite.All UserActivity.ReadWrite.CreatedByApp”.

What I Did

Followed Usage guide on setting up dependencies for AAD auth. In addition to adding MICROSOFT_AUTH_CLIENT_ID and MICROSOFT_AUTH_CLIENT_SECRET, I added MICROSOFT_AUTH_TENANT_ID to settings.py.

python manage.py runserver

also added environment variable

$env:OAUTHLIB_RELAX_TOKEN_SCOPE=$TRUE

on account of similar Scope warning issues.

Before receiving this warning, I’m pretty confident that my configuration is correct because I received several microsoft errors leading up to this. I got the “this client ID is not a multi-tenant app” error, as well as the “not a callback URI” error. After configuring my SITE_ID to use localhost, I finally got past the microsoft errors and arrived at this warning.

Traceback:


Request Method: | POST
-- | --
http://localhost:8000/microsoft/auth-callback/

2.2

Warning

Scope has changed from "email profile openid" to "People.Read Directory.AccessAsUser.All User.ReadBasic.All EduRoster.ReadBasic PrivilegedAccess.ReadWrite.AzureAD Tasks.ReadWrite DeviceManagementServiceConfig.ReadWrite.All User.Read Contacts.Read AccessReview.Read.All Calendars.ReadWrite Sites.FullControl.All Files.ReadWrite.All IdentityRiskEvent.Read.All AppCatalog.ReadWrite.All AgreementAcceptance.Read Tasks.ReadWrite.Shared DeviceManagementManagedDevices.Read.All BookingsAppointment.ReadWrite.All Tasks.Read.Shared Group.ReadWrite.All Notes.Create DeviceManagementManagedDevices.PrivilegedOperations.All DeviceManagementRBAC.ReadWrite.All IdentityProvider.ReadWrite.All DeviceManagementApps.Read.All Bookings.Manage.All AuditLog.Read.All EduAssignments.ReadWrite Notes.ReadWrite Mail.Send email Files.Read Notes.ReadWrite.CreatedByApp DeviceManagementConfiguration.ReadWrite.All Files.ReadWrite.Selected EduAssignments.Read Notes.Read.All Files.ReadWrite Mail.Send.Shared Policy.Read.All Directory.ReadWrite.All Files.ReadWrite.AppFolder EduRoster.ReadWrite Mail.Read.Shared EduAssignments.ReadBasic DeviceManagementManagedDevices.ReadWrite.All Calendars.Read.Shared ProgramControl.ReadWrite.All Contacts.ReadWrite.Shared Mail.ReadWrite People.Read.All profile EduAdministration.Read Member.Read.Hidden Group.Read.All Subscription.Read.All Contacts.ReadWrite EduAssignments.ReadWriteBasic ProgramControl.Read.All identityriskyuser.read.all Files.Read.Selected DeviceManagementConfiguration.Read.All DeviceManagementServiceConfig.Read.All Calendars.ReadWrite.Shared User.Export.All Financials.ReadWrite.All Reports.Read.All Notes.Read Device.Command Mail.Read SecurityEvents.Read.All Calendars.Read Sites.Read.All PrivilegedAccess.ReadWrite.AzureResources IdentityProvider.Read.All Agreement.Read.All SecurityEvents.ReadWrite.All Notifications.ReadWrite.CreatedByApp Mail.ReadWrite.Shared User.ReadWrite Files.Read.All Sites.Manage.All Bookings.Read.All Policy.ReadWrite.ConditionalAccess Sites.ReadWrite.All EduRoster.Read UserActivity.ReadWrite.CreatedByApp openid EduAdministration.ReadWrite AccessReview.ReadWrite.All UserTimelineActivity.Write.CreatedByApp User.Read.All User.ReadWrite.All AgreementAcceptance.Read.All Notes.ReadWrite.All DeviceManagementRBAC.Read.All Agreement.ReadWrite.All DeviceManagementApps.ReadWrite.All MailboxSettings.Read User.Invite.All Contacts.Read.Shared Directory.Read.All EAS.AccessAsUser.All Bookings.ReadWrite.All MailboxSettings.ReadWrite Device.Read Tasks.Read".


3.7.3