Stuck on an issue?
Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.
And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.
OneDrive personal account unable to aquire offline_access scope
See original GitHub issueI am trying to acquire an offline access/refresh token pair on my web api server using the on behalf of flow https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-on-behalf-of-flow
I am acquiring the id token for the assertion on the client side and sending to the server. My flow works correctly for OneDrive for business account, but for personal OneDrive I get an error trying to get an access token.
const endpoint = 'https://login.microsoftonline.com/common/oauth2/v2.0/token';
{
client_id : config.msgraph.clientId,
client_assertion_type: 'urn:ietf:params:oauth:client-assertion-type:jwt-bearer',
scope : ['Files.Read.All', 'Files.ReadWrite.All', 'User.Read', 'offline_access'].join(' '),
grant_type : 'urn:ietf:params:oauth:grant-type:jwt-bearer',
requested_token_use: 'on_behalf_of',
client_assertion: CreateJWT()
};
{
"error": "invalid_grant",
"error_description": "AADSTS70000: The request was denied because one or more scopes requested are unauthorized or expired. The user must first sign in and grant the client application access to the requested scope.\\r\\nTrace ID: 38a5157b-23ee-4112-8833-18036d524a00\\r\\nCorrelation ID: 85e47fe8-8c8a-45ae-83c6-94d785af1ff8\\r\\nTimestamp: 2021-02-28 23:29:51Z",
"error_codes": [70000],
"timestamp": "2021-02-28 23:29:51Z",
"trace_id": "38a5157b-23ee-4112-8833-18036d524a00",
"correlation_id": "85e47fe8-8c8a-45ae-83c6-94d785af1ff8",
"error_uri": "https://login.microsoftonline.com/error?code=70000",
"suberror": "consent_required"
}
Is offline_access supported for OneDrive Personal? I haven’t found anything documented to suggest otherwise.
Library
- [ x ]
msal@1.x.xor@azure/msal@1.x.x -
@azure/msal-browser@2.x.x -
@azure/msal-node@1.x.x -
@azure/msal-react@1.x.x -
@azure/msal-angular@0.x.x -
@azure/msal-angular@1.x.x -
@azure/msal-angular@2.x.x -
@azure/msal-angularjs@1.x.x
Framework
- Angular
- React
- Other
Description
Error Message
MSAL Configuration
// Provide configuration values here.
// For Azure B2C issues, please include your policies.
Reproduction steps
// Provide relevant code snippets here.
// For Azure B2C issues, please include your policies.
Expected behavior
Identity Provider
- Azure AD
- Azure B2C Basic Policy
- Azure B2C Custom Policy
- ADFS
- Other
Browsers/Environment
- Chrome
- Firefox
- Edge
- Safari
- IE
- Other (Please add browser name here)
Regression
- Did this behavior work before? Version:
Security
- Is this issue security related?
Source
- Internal (Microsoft)
- Customer request
Issue Analytics
- State:
- Created 3 years ago
- Comments:13 (4 by maintainers)
Top Results From Across the Web
Remove "Sign in to turn on offline access to your lists"
Remove "Sign in to turn on offline access to your lists" OneDrive notification after removing work account that is no longer used.
Read more >Authorization for OneDrive API for Microsoft Accounts
Sign your user in to OneDrive with the specified scopes using the token flow or code flow. Sign the user out (optional).
Read more >Scopes and permissions in the Microsoft identity platform
When a user approves the offline_access scope, your app can receive refresh tokens from the Microsoft identity platform token endpoint. Refresh ...
Read more >Working offline with OneDrive - Microsoft Support
The OneDrive app for Windows. Install the Windows version of the OneDrive sync app. Select the Start button, search for OneDrive, and then...
Read more >Resolve Microsoft Graph authorization errors
A common mistake that causes in this error is trying to use a token acquired for Azure AD Graph APIs, Outlook APIs, or...
Read more >
Top Related Medium Post
No results found
Top Related StackOverflow Question
No results found
Troubleshoot Live Code
Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free
Top Related Reddit Thread
No results found
Top Related Hackernoon Post
No results found
Top Related Tweet
No results found
Top Related Dev.to Post
No results found
Top Related Hashnode Post
No results found
I tracked down the issue within the onedrive picker there is code that is prepending
https://graph.microsoft.com/to any scope passed, but https://graph.microsoft.com/offline_access is an invalid scope.I notice that the picker automatically passes profile, openid. I would be nice if this were to also pass offline_access or not prepend graph.microsoft.com
case c.default.AADv2: t = (i = “profile openid https://graph.microsoft.com/User.Read " + (r = e).scopes.map(function(e) { return “https://graph.microsoft.com/” + e }).join(” "),
just some more information related.
I manually modified the OneDrive.js file and added
offline_accessbesideprofile openidand everything worked as expected.One other odd behavior i notice with this library is i can’t just use my scopes that i use for msal
['profile', 'openid', 'offline_access', 'Files.Read.All', 'Files.ReadWrite.All', 'People.Read', 'Contacts.Read', 'User.ReadBasic.All']The library is expecting to append
Allto Files.Read and Files.ReadWrite so i have to actually pass `‘Files.Read’, Files.ReadWrite’ insteadscopes: msal.scopes.map(scope => scope === 'Files.Read.All' || scope === 'Files.ReadWrite.All' ? scope.replace('.All', '') : scope)