azurejwtflask-jwt-extended

AADSTS500011 , inserting scope in azure authentication returns error


I am currently trying to verify an access token generated using msal python.

I created my ConfidentialClientApplication like this

app = ConfidentialClientApplication(
    "<client_id>", #client id
    authority="https://login.microsoftonline.com/<tenant_iD>",
    client_credential="<client_secret>",
    token_cache=cache)

Then i try to create my access token like this

result = app.acquire_token_for_client(scopes=["<scope>/.default"])

The scope has been exposed on azure portal under "Expose an API" for the resource and has been added by the client under the "API permissions".

if i do not include the scope name , Tokens are generated just fine.

However, I looked at other examples and i notice some people use their scope together with the scope name

eg : api://<application_uri>/USER.READ as opposed to just the application uri like api://<application_uri>

When i use api://<application_uri>/USER.READ in the scope, i get this error instead

{'error': 'invalid_resource', 'error_description': 'AADSTS500011: The resource principal named api://<application_uri>/USER.READWRITE was not found in the tenant named <tenant name>. This can happen if the application has not been installed by the administrator of the tenant or consented to by any user in the tenant. You might have sent your authentication request to the wrong tenant.\r\nTrace ID: 64697571-81b1-4d6c-bd61-fa69c7c97700\r\nCorrelation ID: 3bbc9c0f-39d1-4ca3-b15e-918a10391924\r\nTimestamp: 2023-05-02 07:30:44Z', 'error_codes': [500011], 'timestamp': '2023-05-02 07:30:44Z', 'trace_id': '64697571-81b1-4d6c-bd61-fa69c7c97700', 'correlation_id': '3bbc9c0f-39d1-4ca3-b15e-918a10391924', 'error_uri': 'https://login.microsoftonline.com/error?code=500011'}
cache <msal.token_cache.SerializableTokenCache object at 0x000001946C97FFD0>

I have been trying to look for answers for weeks now, anyone can help?


Solution

  • Note that: Client Credentials flow requires Application API permissions. Delegated API permissions are passed while using user interactive flow such as Authorization Code flow etc.

    While using Client Credentials flow you have to make use of /.default or when using v1 endpoint use api://ClientID.

    The error AADSTS500011 usually occurs if you are passing invalid resource like below:

    resource: api://ClientID/user.read
    

    enter image description here

    I created an Azure AD Application and added API permissions like below:

    enter image description here

    When expose an API is done and added scope it is taken as delegated API permission.

    Now, I generated access token using below parameters:

    https://login.microsoftonline.com/TenantID/oauth2/token
    
    client_id:ClientID
    client_secret:ClientSecret
    resource:api://ID
    grant_type:client_credentials
    

    enter image description here

    When I decoded the token, the aud is api://xxx but scope isn't displayed as delegated API permission been passed in Client Credential flow:

    enter image description here

    Hence, to resolve the issue create App roles like below:

    enter image description here

    Add the App role to the API permissions blade like below:

    enter image description here

    I generated the access token in Postman via Client Credential flow:

    resource: api://ClientID
    

    enter image description here

    When I decoded the token, the app role is successfully displayed like below:

    enter image description here

    https://login.microsoftonline.com/TenantID/oauth2/token
    
    client_id:ClientID
    grant_type:authorization_code
    scope:api://xxx/User.Read
    code:code
    redirect_uri:https://jwt.ms
    client_secret:ClientSecret
    

    enter image description here

    When I decoded the token, the delegated scope displayed successfully like below:

    enter image description here

    Reference:

    MSAL Python 1.22.0 documentation (msal-python.readthedocs.io)