Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

grant 70000 when trying to login as user

See original GitHub issue

Library

msal@1.x.x or @azure/msal@1.x.x
@azure/msal-browser@2.x.x
@azure/msal-node@1.x.x
@azure/msal-react@1.x.x
@azure/msal-angular@0.x.x
@azure/msal-angular@1.x.x
@azure/msal-angular@2.x.x
@azure/msal-angularjs@1.x.x

Framework

Angular
React
Other

Description

I’m trying to sign in as an Outlook user and have my backend do the OAuth handshake to store the access token and refresh token for future uses. My use case is that signed-in users allow our service to send emails on their behalf.

Error Message

stack:"ServerError: invalid_grant: 70000 - [2021-03-25 15:11:26Z]: AADSTS70000: The request was denied because one or more scopes requested are unauthorized or expired. The user must first sign in and grant the client application access to the requested scope. T

MSAL Configuration

Frontend:
window.open(`https://login.microsoftonline.com/common/oauth2/v2.0/authorize?client_id=${clientId}&response_mode=query&response_type=code&redirect_uri=${redirectUri}&scope=Mail.Send%20Mail.Read%20offline_access`, "Popup","toolbar=no, location=no, statusbar=no, menubar=no, scrollbars=1, resizable=0, width=580, height=600, top=30")}>
                        Login with MS
                        </a>
Backend:
const config = {
    auth: {
        clientId: process.env.MICROSOFT_CLIENT_ID,
        authority: process.env.MICROSOFT_REDIRECT_URL,
        clientSecret: process.env.MICROSOFT_CLIENT_SECRET
    },
    system: {
        loggerOptions: {
            loggerCallback(loglevel, message, containsPii) {
                console.log(message);
            },
            piiLoggingEnabled: false,
            logLevel: msal.LogLevel.Verbose,
        }
    }
};

const cca = new msal.ConfidentialClientApplication(config);

  const redirectUri = `${process.env.BASE_URL}/api/users/callback/microsoft`
  const tokenRequest = {
    code: req.query.code,
    scopes: ["Mail.Send", "Mail.Read", "offline_access"],
    redirectUri: redirectUri,
  };
  
  cca.acquireTokenByCode(tokenRequest).then((response) => {
      console.log("\nResponse: \n:", response);
      res.send("<script>window.close();</script> ")
  }).catch((error) => {
      console.log(error);
      res.send("<script>window.close();</script> ")
  });

Reproduction steps

Run the frontend code with the backend as the redirect URI.
Authorize as user
Backend will be triggered with the access code.
Call cca.acquireTokenByCode with the same Scopes and with the received access code.

Expected behavior

Access token and Refresh token are generated and sent

Identity Provider

Azure AD
Azure B2C Basic Policy
Azure B2C Custom Policy
ADFS
Other

Browsers/Environment

Chrome
Firefox
Edge
Safari
IE
Other (Please add browser name here)

Regression

Did this behavior work before? No Version: “@azure/ms-rest-azure-js”: “^2.0.1”, “@azure/msal-node”: “^1.0.0”,

Security

Is this issue security related? No

Source

Internal (Microsoft)
Customer request

Issue Analytics

State:
Created 2 years ago
Comments:7 (5 by maintainers)

Top GitHub Comments

2reactions

hpsincommented, Mar 26, 2021

The problem is that you’re not requesting openid and profile. Your msal code on the backend is silently adding it to the requested scopes, causing the front end and backend to be misaligned in what is requested. Add openid and profile to the front-end and it should work.

0reactions

hectormmgcommented, Apr 28, 2021

Closing due to inactivity. Please let us know if you still have this issue.