Getting “AADSTS650057: Invalid resource” error when trying to get an authorization code in Azure US Gov

7
votes

I'm working on a native application that will allow users to connect to and manage their Azure Subscriptions. For this I have created an application in my Azure AD with the following delegated permissions:

  • Sign in and read user profile.
  • Access Azure Service Management as organization users.

Using this application's id, I am able to connect to my Azure Subscriptions in Azure General regions. No issues there.

Now I want to do the same in Azure Sovereign regions (Azure China and US Gov to be specific). So I repeated the same steps and created an application in each of the regions with the same permissions. In both of these places I am the application owner.

When I try to get the authorization code using the application in Azure China region, everything works really well. I'm able to get the authorization code and use that code to get access token and refresh token. This is the URL I used:

https://login.chinacloudapi.cn/common/oauth2/authorize?resource=https%3A%2F%2Fmanagement.core.chinacloudapi.cn%2F&client_id=xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx&response_type=code+id_token&redirect_uri=urn%3Aietf%3Awg%3Aoauth%3A2.0%3Aoob&response_mode=fragment&nonce=1549417823964&state=12345

However when I do the same for Azure US Gov, I am getting the following error back:

AADSTS650057: Invalid resource. The client has requested access to a resource which is not listed in the requested permissions in the client's application registration. Client app ID: xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx. Resource value from request: https://management.core.usgovcloudapi.net/. Resource app ID: xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx. List of valid resources from app registration: 797f4846-ba00-4fd7-ba43-dac1f8f63013, 00000002-0000-0000-c000-000000000000. Trace ID: xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx Correlation ID: xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx Timestamp: 2019-02-06 02:19:50Z

Here's the request URL I am using:

https://login-us.microsoftonline.com/common/oauth2/authorize?resource=https%3A%2F%2Fmanagement.core.usgovcloudapi.net%2F&client_id=xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx&response_type=code+id_token&redirect_uri=urn%3Aietf%3Awg%3Aoauth%3A2.0%3Aoob&response_mode=fragment&nonce=1549419561905&state=12345

As you can see, I am using https://management.core.usgovcloudapi.net/ as the resource. This is based on the Azure Government developer guide. I even tried with https://management.usgovcloudapi.net/ but I get the same result.

Moreover I noticed a few things:

  1. If I use Microsoft's client id (1950a258-227b-4e31-a9cf-717495945fc2) instead of my application's id and https://management.core.usgovcloudapi.net/ as resource, everything works well.
  2. If I use my application's id and https://management.core.windows.net/ as resource instead of https://management.core.usgovcloudapi.net/, I get the consent prompt (which I was not getting otherwise) so I think that is also working fine.

Can anyone tell me what I am doing wrong?

1
azureazure-active-directory

1 Answers

-1
votes

This issue is normally caused by having the incorrect identifier in the SSO settings. Either the identifier is set incorrectly, the format is incorrect, or it is not shared properly between tenants.

Under Single Sign-On in your application, check to see that the Identifier field is filled in correctly. (This is a different example but shows the location.) enter image description here

I would also suggest using Fiddler to check the SAML response, as well as making sure that you don't have any unnecessary access requirements enforced on that tenant.