cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Reply
Galasso
Frequent Visitor

Scopes for more than one resource

‎09-01-2020 06:30 AM

Hi all,

following this tutorial I was able to configure the end user authentication.

However if I put in the "Scopes" field scopes related to more than one resources (e.g. MS Graph and custom API), the authentication will fail.

Is this a supported scenario (and I'm doing something wrong) or it is not?

 

Thanks,

Alessandro.

Message 1 of 5
1,173 Views
0 Kudos
1 ACCEPTED SOLUTION

Accepted Solutions
BoLi
PVA
PVA
In response to Galasso

‎09-14-2020 01:27 PM

Hi Galasso,

Thank you for your ask. Generate one token for multiple audiences are not supported by AAD today. MSGrapi api and custom api suppose should have different tokens. AAD today only take the first set of scopes and generate token for that while ignore the other sets. We are working with out dependent team to generate multiple tokens for different audience so you can use them seperately. So, in a word, we cannot do this today but are planning to support this feature in future. 

 

Thanks

Bo

View solution in original post

Message 4 of 5
1,019 Views
4 REPLIES 4
renatoromao
Super User
Super User

‎09-02-2020 06:21 AM

Hi @Galasso ,

 

Did you use the space to separate the Scopes?

If yes, try to use a comma.


Did I answer your question? Mark my post as a solution!
Thanks!

Renato Romão,

Connect with me here 😉

Power Virtual Agents course (+2.760 students) : English | Português
Message 2 of 5
1,092 Views
0 Kudos
Galasso
Frequent Visitor
In response to renatoromao

‎09-02-2020 06:47 AM

Hi Renato,

just tried to use this scope:

https://graph.microsoft.com/User.Read,https://AAAAA.onmicrosoft.com/BBBBB/XXXXX

 

but receiving following error:

{
  "error": {
    "code": "ServiceError",
    "message": "Missing required query string parameter: code. Url = https://token.botframework.com/.auth/web/redirect?error=invalid_resource&error_description=AADSTS500011%3a+The+resource+principal+named+https%3a%2f%2fgraph.microsoft.com%2fUser.Read%2chttps%3a%2f%2fAAAAA.onmicrosoft.com%2fBBBBB+was+not+found+in+the+tenant+named+CCCCCC.+This+can+happen+if+the+application+has+not+been+installed+by+the+administrator+of+the+tenant+or+consented+to+by+any+user+in+the+tenant.+You+might+have+sent+your+authentication+request+to+the+wrong+tenant.%0d%0aTrace+ID%3a+DDDDD%0aCorrelation+ID%3a+EEEEEE%0aTimestamp%3a+2020-09-02+13%3a35%3a07Z&error_uri=https%3a%2f%2flogin.microsoftonline.com%2ferror%3fcode%3d500011&state=c6a54ed44b2745c98b28e37944fdca2d"
  }
}

Scope List delimiter is set to ","

So, it seems that it is expecting the blank space.

Even if I use only MS Graph scopes separated by comma, it does not work:

 

{
  "error": {
    "code": "ServiceError",
    "message": "Missing required query string parameter: code. Url = https://token.botframework.com/.auth/web/redirect?error=invalid_client&error_description=AADSTS650053%3a+The+application+%27SNSBot%27+asked+for+scope+%27Mail.Send%2cNotes.ReadWrite%2cTasks.ReadWrite%2cUser.Read%2cUser.ReadBasic.All%27+that+doesn%27t+exist+on+the+resource+%2700000003-0000-0000-c000-000000000000%27.+Contact+the+app+vendor.%0d%0aTrace+ID%3a+8e2ca637-0189-48ff-a2e4-88bd4dfa1900%0d%0aCorrelation+ID%3a+3accac6f-34c7-4ec7-b582-66158a41b275%0d%0aTimestamp%3a+2020-09-02+13%3a27%3a05Z&state=78cb4033e0a8450f8b6dd47f5d093e54"
  }
}

or

{
  "error": {
    "code": "ServiceError",
    "message": "Missing required query string parameter: code. Url = https://token.botframework.com/.auth/web/redirect?error=invalid_client&error_description=AADSTS650053%3a+The+application+%27SNSBot%27+asked+for+scope+%27Mail.Send%2cNotes.ReadWrite%2cTasks.ReadWrite%2cUser.Read%2cUser.ReadBasic.All%27+that+doesn%27t+exist+on+the+resource+%2700000003-0000-0000-c000-000000000000%27.+Contact+the+app+vendor.%0d%0aTrace+ID%3a+785ad923-7ee6-4db0-89d1-7246b9fb1b00%0d%0aCorrelation+ID%3a+e89bc6d3-4d82-40f7-bb5d-f609e7b6f584%0d%0aTimestamp%3a+2020-09-02+13%3a46%3a43Z&state=58ac2028a2414121a4365b6a282f45e4"
  }
}

 

Message 3 of 5
1,088 Views
0 Kudos
BoLi
PVA
PVA
In response to Galasso

‎09-14-2020 01:27 PM

Hi Galasso,

Thank you for your ask. Generate one token for multiple audiences are not supported by AAD today. MSGrapi api and custom api suppose should have different tokens. AAD today only take the first set of scopes and generate token for that while ignore the other sets. We are working with out dependent team to generate multiple tokens for different audience so you can use them seperately. So, in a word, we cannot do this today but are planning to support this feature in future. 

 

Thanks

Bo

Message 4 of 5
1,020 Views
Galasso
Frequent Visitor
In response to BoLi

‎09-14-2020 11:22 PM

Hi @BoLi 

thanks for your answer.

 

Alessandro.

Message 5 of 5
1,010 Views
0 Kudos

Helpful resources

Announcements
Power Virtual Agents News & Announcements

Power Virtual Agents News & Announcements

Keep up to date with current events and community announcements in the Power Virtual Agents community.

Community Calls Conversations

Community Calls Conversations

A great place where you can stay up to date with community calls and interact with the speakers.

Power Virtual Agents Community Blog

Power Virtual Agents Community Blog

Check out the latest Community Blog from the community!

View All
Top Solution Authors
View All
Users online (3,625)