We have implemented Microsoft Azure oauth2 on our web app, and we are trying to address common errors that users have when using that oauth method.
The error: OAuth2::Error, invalid_grant: AADSTS65001: No permission to access user information is configured for '...' application, or it is expired or revoked. resembles about 82% of our errors with the azure oauth flow.
Here's our configuration:
# ==> Office 365 OAuth2
config.omniauth :azure_oauth2,
client_id: '...',
client_secret: '...',
tenant_id: '...',
resource: 'https://outlook.office365.com/',
setup: lambda { |env|
params = Rack::Utils.parse_query(env['QUERY_STRING'])
options = env['omniauth.strategy'].options
case params['state']
when 'calendar'
options[:prompt] = 'login'
when 'select_account'
options[:prompt] = 'login'
end
}
We know that this error can be caused from using a non Office 365 account. Since our resource is 'https://outlook.office365.com/', and because our app needs to be able to interact with your calendar, the user must authenticate with an office 365 account. Some other account like a microsoft live account will cause this error.
QUESTIONS
1 - what else might cause this error?
2 - Is there a way to limit the azure oauth flow to only allow true office 365 logins?