cancel
Showing results for 
Search instead for 
Did you mean: 
Reply
Galasso
Frequent Visitor

Scopes for more than one resource

Hi all,

following this tutorial I was able to configure the end user authentication.

However if I put in the "Scopes" field scopes related to more than one resources (e.g. MS Graph and custom API), the authentication will fail.

Is this a supported scenario (and I'm doing something wrong) or it is not?

 

Thanks,

Alessandro.

1 ACCEPTED SOLUTION

Accepted Solutions

Hi Galasso,

Thank you for your ask. Generate one token for multiple audiences are not supported by AAD today. MSGrapi api and custom api suppose should have different tokens. AAD today only take the first set of scopes and generate token for that while ignore the other sets. We are working with out dependent team to generate multiple tokens for different audience so you can use them seperately. So, in a word, we cannot do this today but are planning to support this feature in future. 

 

Thanks

Bo

View solution in original post

4 REPLIES 4
renatoromao
Super User
Super User

Hi @Galasso ,

 

Did you use the space to separate the Scopes?

If yes, try to use a comma.


Did I answer your question? Mark my post as a solution!
Thanks!

Renato Romão,

Connect with me here 😉

Power Virtual Agents course (+2.760 students) : English | Português

Hi Renato,

just tried to use this scope:

https://graph.microsoft.com/User.Read,https://AAAAA.onmicrosoft.com/BBBBB/XXXXX

 

but receiving following error:

{
  "error": {
    "code": "ServiceError",
    "message": "Missing required query string parameter: code. Url = https://token.botframework.com/.auth/web/redirect?error=invalid_resource&error_description=AADSTS500011%3a+The+resource+principal+named+https%3a%2f%2fgraph.microsoft.com%2fUser.Read%2chttps%3a%2f%2fAAAAA.onmicrosoft.com%2fBBBBB+was+not+found+in+the+tenant+named+CCCCCC.+This+can+happen+if+the+application+has+not+been+installed+by+the+administrator+of+the+tenant+or+consented+to+by+any+user+in+the+tenant.+You+might+have+sent+your+authentication+request+to+the+wrong+tenant.%0d%0aTrace+ID%3a+DDDDD%0aCorrelation+ID%3a+EEEEEE%0aTimestamp%3a+2020-09-02+13%3a35%3a07Z&error_uri=https%3a%2f%2flogin.microsoftonline.com%2ferror%3fcode%3d500011&state=c6a54ed44b2745c98b28e37944fdca2d"
  }
}

Scope List delimiter is set to ","

So, it seems that it is expecting the blank space.

Even if I use only MS Graph scopes separated by comma, it does not work:

 

{
  "error": {
    "code": "ServiceError",
    "message": "Missing required query string parameter: code. Url = https://token.botframework.com/.auth/web/redirect?error=invalid_client&error_description=AADSTS650053%3a+The+application+%27SNSBot%27+asked+for+scope+%27Mail.Send%2cNotes.ReadWrite%2cTasks.ReadWrite%2cUser.Read%2cUser.ReadBasic.All%27+that+doesn%27t+exist+on+the+resource+%2700000003-0000-0000-c000-000000000000%27.+Contact+the+app+vendor.%0d%0aTrace+ID%3a+8e2ca637-0189-48ff-a2e4-88bd4dfa1900%0d%0aCorrelation+ID%3a+3accac6f-34c7-4ec7-b582-66158a41b275%0d%0aTimestamp%3a+2020-09-02+13%3a27%3a05Z&state=78cb4033e0a8450f8b6dd47f5d093e54"
  }
}

or

{
  "error": {
    "code": "ServiceError",
    "message": "Missing required query string parameter: code. Url = https://token.botframework.com/.auth/web/redirect?error=invalid_client&error_description=AADSTS650053%3a+The+application+%27SNSBot%27+asked+for+scope+%27Mail.Send%2cNotes.ReadWrite%2cTasks.ReadWrite%2cUser.Read%2cUser.ReadBasic.All%27+that+doesn%27t+exist+on+the+resource+%2700000003-0000-0000-c000-000000000000%27.+Contact+the+app+vendor.%0d%0aTrace+ID%3a+785ad923-7ee6-4db0-89d1-7246b9fb1b00%0d%0aCorrelation+ID%3a+e89bc6d3-4d82-40f7-bb5d-f609e7b6f584%0d%0aTimestamp%3a+2020-09-02+13%3a46%3a43Z&state=58ac2028a2414121a4365b6a282f45e4"
  }
}

 

Hi Galasso,

Thank you for your ask. Generate one token for multiple audiences are not supported by AAD today. MSGrapi api and custom api suppose should have different tokens. AAD today only take the first set of scopes and generate token for that while ignore the other sets. We are working with out dependent team to generate multiple tokens for different audience so you can use them seperately. So, in a word, we cannot do this today but are planning to support this feature in future. 

 

Thanks

Bo

Galasso
Frequent Visitor

Hi @BoLi 

thanks for your answer.

 

Alessandro.

Helpful resources

Announcements
Power Virtual Agents News & Announcements

Power Virtual Agents News & Announcements

Keep up to date with current events and community announcements in the Power Virtual Agents community.

Community Calls Conversations

Community Calls Conversations

A great place where you can stay up to date with community calls and interact with the speakers.

Power Virtual Agents Community Blog

Power Virtual Agents Community Blog

Check out the latest Community Blog from the community!

Top Solution Authors
Users online (3,625)