Hi all,
following this tutorial I was able to configure the end user authentication.
However if I put in the "Scopes" field scopes related to more than one resources (e.g. MS Graph and custom API), the authentication will fail.
Is this a supported scenario (and I'm doing something wrong) or it is not?
Thanks,
Alessandro.
Solved! Go to Solution.
Hi Galasso,
Thank you for your ask. Generate one token for multiple audiences are not supported by AAD today. MSGrapi api and custom api suppose should have different tokens. AAD today only take the first set of scopes and generate token for that while ignore the other sets. We are working with out dependent team to generate multiple tokens for different audience so you can use them seperately. So, in a word, we cannot do this today but are planning to support this feature in future.
Thanks
Bo
Hi Renato,
just tried to use this scope:
https://graph.microsoft.com/User.Read,https://AAAAA.onmicrosoft.com/BBBBB/XXXXX
but receiving following error:
{ "error": { "code": "ServiceError", "message": "Missing required query string parameter: code. Url = https://token.botframework.com/.auth/web/redirect?error=invalid_resource&error_description=AADSTS500011%3a+The+resource+principal+named+https%3a%2f%2fgraph.microsoft.com%2fUser.Read%2chttps%3a%2f%2fAAAAA.onmicrosoft.com%2fBBBBB+was+not+found+in+the+tenant+named+CCCCCC.+This+can+happen+if+the+application+has+not+been+installed+by+the+administrator+of+the+tenant+or+consented+to+by+any+user+in+the+tenant.+You+might+have+sent+your+authentication+request+to+the+wrong+tenant.%0d%0aTrace+ID%3a+DDDDD%0aCorrelation+ID%3a+EEEEEE%0aTimestamp%3a+2020-09-02+13%3a35%3a07Z&error_uri=https%3a%2f%2flogin.microsoftonline.com%2ferror%3fcode%3d500011&state=c6a54ed44b2745c98b28e37944fdca2d" } }
Scope List delimiter is set to ","
So, it seems that it is expecting the blank space.
Even if I use only MS Graph scopes separated by comma, it does not work:
{ "error": { "code": "ServiceError", "message": "Missing required query string parameter: code. Url = https://token.botframework.com/.auth/web/redirect?error=invalid_client&error_description=AADSTS650053%3a+The+application+%27SNSBot%27+asked+for+scope+%27Mail.Send%2cNotes.ReadWrite%2cTasks.ReadWrite%2cUser.Read%2cUser.ReadBasic.All%27+that+doesn%27t+exist+on+the+resource+%2700000003-0000-0000-c000-000000000000%27.+Contact+the+app+vendor.%0d%0aTrace+ID%3a+8e2ca637-0189-48ff-a2e4-88bd4dfa1900%0d%0aCorrelation+ID%3a+3accac6f-34c7-4ec7-b582-66158a41b275%0d%0aTimestamp%3a+2020-09-02+13%3a27%3a05Z&state=78cb4033e0a8450f8b6dd47f5d093e54" } }
or
{ "error": { "code": "ServiceError", "message": "Missing required query string parameter: code. Url = https://token.botframework.com/.auth/web/redirect?error=invalid_client&error_description=AADSTS650053%3a+The+application+%27SNSBot%27+asked+for+scope+%27Mail.Send%2cNotes.ReadWrite%2cTasks.ReadWrite%2cUser.Read%2cUser.ReadBasic.All%27+that+doesn%27t+exist+on+the+resource+%2700000003-0000-0000-c000-000000000000%27.+Contact+the+app+vendor.%0d%0aTrace+ID%3a+785ad923-7ee6-4db0-89d1-7246b9fb1b00%0d%0aCorrelation+ID%3a+e89bc6d3-4d82-40f7-bb5d-f609e7b6f584%0d%0aTimestamp%3a+2020-09-02+13%3a46%3a43Z&state=58ac2028a2414121a4365b6a282f45e4" } }
Hi Galasso,
Thank you for your ask. Generate one token for multiple audiences are not supported by AAD today. MSGrapi api and custom api suppose should have different tokens. AAD today only take the first set of scopes and generate token for that while ignore the other sets. We are working with out dependent team to generate multiple tokens for different audience so you can use them seperately. So, in a word, we cannot do this today but are planning to support this feature in future.
Thanks
Bo
Keep up to date with current events and community announcements in the Power Virtual Agents community.
A great place where you can stay up to date with community calls and interact with the speakers.
User | Count |
---|---|
2 | |
1 | |
1 | |
1 | |
1 |