Scope "allsites.write" doesn't exist on the resource
I'm trying to set up programmatic access to a corporate Sharepoint Online site from a desktop app. My org has an Office 365 subscription.
I've set up a registered app in the Azure portal, granted the AllSites.Write permission:
Now, I'm trying to navigate to the following URL in a browser control:
URL = "https://login.microsoftonline.com/" + Tenant + "/oauth2/v2.0/authorize?" +
"client_id=" & ClientID +
"&response_type=code" +
"&redirect_uri=foo%3A%2F%2Fback" +
"&response_mode=query" +
"&scope=user.read%20allsites.write"
As soon as I do that, there's no UI, I immediately get a callback with the following error message:
AADSTS650053: The application 'MyApp' asked for scope 'allsites.write' that doesn't exist on the resource '00000003-0000-0000-c000-000000000000'. Contact the app vendor.
The scope is right there. What am I missing?
The same logon flow worked with a slightly different scope (Sites.ReadWrite.All), but then I found out that the Graph API didn't expose SharePoint list item attachments and decided to fall back to the legacy SharePoint REST API. Changed the scopes on the portal, changed the scopes in the logon URL, got the error.
The stale logon session couldn't get in the way, could it? Normally, when scopes change, the OAuth UI pops the permissions window, doesn't it?
Got past this error, but now Sharepoint Online doesn't accept my token, says "Invalid issuer or signature". For the record, when I provide the scope https://microsoft.sharepoint-df.com/AllSites.Write or https://{mytenant}.sharepoint.com/AllSites.Write, the logon flow works.
UPDATE: accepts now. For that, I had to use the older version of the OAuth endpoints: https://login.microsoftonline.com/{tenant}/oauth2/authorize for initiation of the logon flow, and https://login.windows.net/{tenant}/oauth2/token?api-version=1.0 to exchange the code for the token. The latter takes the resource parameter, which is to be https://{tenant}.sharepoint.com.
The endpoint at https://login.microsoftonline.com/{tenant}/oauth2/v2.0/token, which is specified all over the Graph docs, doesn't take the resource parameter, which seems to be essential here (or maybe it's called something else).
- Cognito: User Pool Client OAuth Scope Limitation
- Yahoo! Fantasy API Maximum Count?
- GitLab OAuth access token validity
- Where to store the refresh token on the Client?
- Twitter request token invalid on iOS
- Implementing OAuth 1.0 in an iOS
- How to create oAuth in Instagram?
- Swift (Xcode) REST API Connection using OAuth 1
- MapMyFitness API OAuth questions
- “That Microsoft account doesn’t exist” for Microsoft logins on Auth0
- OAuth SignIn Cordova Firebase
- Get user info via Google API
- Unable to fetch userinfo using access_token from auth0
- Laravel Passport Password Grant - Client authentication failed
- Implement OAuth 2.0 authorization against a 3rd party service for a mobile app
- Issue with OAuth authentication for the new Basecamp Api using OAConsumer
- Request had invalid authentication credentials. Expected OAuth 2 access token error in cloud speech API
- Freshdesk Oauth SSO: CORS Error on Accessing Freshdesk Redirect URI?
- How to use Google Login API with Cordova/Phonegap
- How do I use org.scribe.oauth to connect to the tumblr API?
- How to make a oauth2 authentication within a spring boot shell application
- Use OAuth for the Goodreads API
- Securely storing an access token
- Issues authenticating ASP.NET Core via Oracle Oauth when site is behid WAF/Gateway
- Next.js with Clerk Auth - how to detect if a user just signed up?
- How to change Google consent screen email?
- Firebase: This domain is not authorized
- How to get the GitLab userid in a Python app that uses GitLab as an Oauth provider?
- Upload Video to Vimeo in Objective-C on iPhone
- What is the purpose of the "access_token=" parameter when downloading a file from Google Drive?