AADSTS500011 , inserting scope in azure authentication returns error
I am currently trying to verify an access token generated using msal python.
I created my ConfidentialClientApplication like this
app = ConfidentialClientApplication(
"<client_id>", #client id
authority="https://login.microsoftonline.com/<tenant_iD>",
client_credential="<client_secret>",
token_cache=cache)
Then i try to create my access token like this
result = app.acquire_token_for_client(scopes=["<scope>/.default"])
The scope has been exposed on azure portal under "Expose an API" for the resource and has been added by the client under the "API permissions".
if i do not include the scope name , Tokens are generated just fine.
However, I looked at other examples and i notice some people use their scope together with the scope name
eg : api://<application_uri>/USER.READ as opposed to just the application uri like api://<application_uri>
When i use api://<application_uri>/USER.READ in the scope, i get this error instead
{'error': 'invalid_resource', 'error_description': 'AADSTS500011: The resource principal named api://<application_uri>/USER.READWRITE was not found in the tenant named <tenant name>. This can happen if the application has not been installed by the administrator of the tenant or consented to by any user in the tenant. You might have sent your authentication request to the wrong tenant.\r\nTrace ID: 64697571-81b1-4d6c-bd61-fa69c7c97700\r\nCorrelation ID: 3bbc9c0f-39d1-4ca3-b15e-918a10391924\r\nTimestamp: 2023-05-02 07:30:44Z', 'error_codes': [500011], 'timestamp': '2023-05-02 07:30:44Z', 'trace_id': '64697571-81b1-4d6c-bd61-fa69c7c97700', 'correlation_id': '3bbc9c0f-39d1-4ca3-b15e-918a10391924', 'error_uri': 'https://login.microsoftonline.com/error?code=500011'}
cache <msal.token_cache.SerializableTokenCache object at 0x000001946C97FFD0>
I have been trying to look for answers for weeks now, anyone can help?
Note that: Client Credentials flow requires Application API permissions. Delegated API permissions are passed while using user interactive flow such as Authorization Code flow etc.
While using Client Credentials flow you have to make use of /.default or when using v1 endpoint use api://ClientID.
The error AADSTS500011 usually occurs if you are passing invalid resource like below:
resource: api://ClientID/user.read
I created an Azure AD Application and added API permissions like below:
When expose an API is done and added scope it is taken as delegated API permission.
Now, I generated access token using below parameters:
https://login.microsoftonline.com/TenantID/oauth2/token
client_id:ClientID
client_secret:ClientSecret
resource:api://ID
grant_type:client_credentials
When I decoded the token, the aud is api://xxx but scope isn't displayed as delegated API permission been passed in Client Credential flow:
Hence, to resolve the issue create App roles like below:
Add the App role to the API permissions blade like below:
I generated the access token in Postman via Client Credential flow:
resource: api://ClientID
When I decoded the token, the app role is successfully displayed like below:
- I generated access token using Authorization code flow like below:
https://login.microsoftonline.com/TenantID/oauth2/token
client_id:ClientID
grant_type:authorization_code
scope:api://xxx/User.Read
code:code
redirect_uri:https://jwt.ms
client_secret:ClientSecret
When I decoded the token, the delegated scope displayed successfully like below:
Reference:
MSAL Python 1.22.0 documentation (msal-python.readthedocs.io)
- How to resolve paging when retrieving data from REST API in R
- SearchService deployment fails if the resource exists
- Azure Bicep - Referencing a variable that cannot be calculated at the start
- Local development with Azure SignalR Service and Azure Functions
- Azure Functions & Application Insights requests "Operation Link" empty
- Disabling allow public blob access using terraform
- how to retrieve all resources under given subnet using Azure Resource Graph Explorer query
- I'm using SSIS in ADF to move .csv from a blob container to another and then ingest into a Azure SQL database. I get an assembly error
- How to build expression in ADF from json using parameterized variable?
- Reference a variable azure pipeline not working
- Graph Powershell adding a user to PIM for a privileged security group
- Indexing static HTML blob storage content with Azure Cognitive Search is not working as expected
- Azure python webapp deploy shows as running even though it is successful
- Azure pipeline get Pull request source and target branch name
- Error while copying Azure Storage table from one Storage to another storage table using Powershell script
- Azure Function App Fails to Delete Blob Image After Deployment
- Use Azure AD authentication but manage roles in database in .NET 6
- Microsoft Azure VMs IaaS or PaaS?
- Can an application property be updated/deleted from a ServiceBusReceivedMessage?
- Why is my Blazor Web App throwing a SocketException when authenticating with OpenIddict when deployed to Azure App Service?
- RPC failed: curl 56 failure when receiving data from the peer
- Read 'Attribute & Claims' from SAML Entra application configuration using PowerShell
- Reading Excel file returns 'Invalid Request' error
- Is it possible to clone an Azure Container App?
- Unable to Enable Encryption at host for Azure VM
- Application Insights does not capture information level logging
- How to look up logical partition count and size in Cosmos DB
- AzureRmWebAppDeployment@4 tries to deploy to a wrong URL to Linux app plan
- Azure B2C client credentials flow throws invalid_grant AADB2C90085
- Why I can't create azurerm_app_service connection?