Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

[Bug] ExtraScopesToConsent is not working as expected for accounts outside of the home tenant

See original GitHub issue

Which Version of MSAL are you using ? MSAL 4.1.0

Platform netcore console app, possibly existent on android too

What authentication flow has the issue?

Desktop / Mobile
- Interactive
- Integrated Windows Auth
- Username Password
- Device code flow (browserless)
Web App
- Authorization code
- OBO
Web API
- OBO

Is this a new or existing app? This is a new app or experiment

Repro Register two applications in Azure portal - Client and Server. In Client add http://localhost as a redirect uri for public client (to enable .net core os browser). In server expose an api with the format api://server_application_id/user_impersonation.

var pca = PublicClientApplicationBuilder.Create("<client application id>")
    .WithDefaultRedirectUri()
    .Build();

await pca.AcquireTokenInteractive(new[] { "User.Read", "Files.Read" })
    .WithExtraScopesToConsent(new[] { "api://<server application id>/user_impersonation" })
    .WithSystemWebViewOptions(new SystemWebViewOptions { OpenBrowserAsync = SystemWebViewOptions.OpenWithEdgeBrowserAsync })
    .ExecuteAsync();

var accounts = await pca.GetAccountsAsync();
var account = accounts.FirstOrDefault();

await pca.AcquireTokenSilent(new[] { "User.Read", "Files.Read" }, account).ExecuteAsync();
await pca.AcquireTokenSilent(new[] { "api://<server application id>/user_impersonation" }, account).ExecuteAsync();

Expected behavior Both acquire token silent calls succeed.

Actual behavior On the second acquire call, i.e on trying to acquire a token for the server application it throws an error AADSTS70000: The request was denied because one or more scopes requested are unauthorized or expired. The user must first sign in and grant the client application access to the requested scope. Trace ID: a356c4c1-c5bc-4318-be7c-a806cdda1f01 Correlation ID: 8def64e5-98ab-4037-a223-6bf17cb7acab.

Possible Solution If the server api scope is passed directly in AcquireTokenInteractive instead of via ExtraScopesToConsent it works correctly. It should work always though I’m assuming.

Issue Analytics

State:
Created 4 years ago
Comments:6 (4 by maintainers)

Top GitHub Comments

1reaction

jmprieurcommented, Jul 19, 2019

Thanks for the update @ashikns My recommendation for the moment is to use the Web API for the scope. I’ll check with the service people what we can do.

0reactions

bgavrilMScommented, Dec 22, 2021

THis has been fixed by AAD.

Top Results From Across the Web

User account from identity provider does not exist in tenant ...

Troubleshoot scenarios in which a guest user unsuccessfully tries to sign in to the resource tenant and error code AADSTS50020 is returned.

The Problem with Guest Accounts (Going Outside Your ...

What Do Guest Users Do Outside Their Home Tenant? The situation is very different for home tenants. Administrators have no idea how far...

Azure AD App got the wrong user to authenticate

Getting this error is expected because the app's setting does not allow different tenant/directory's user to authenticate. The question/problem ...

MSAL Python 1.23.0 documentation

It is a string of a JSON object which contains lists of claims being requested from these locations. Returns. A dict containing no...

Azure AD authentication troubleshooting: Known problems ...

Sorry, another account from your organization is already signed in on this computer. The first error strongly indicates there is cached detritus ......