how to pass scope in api while generating token for azure AD

0
votes

I'm able to generate access token using postman. But, I need to generate the token from API. I tried to get the token using api referring microsoft document on how to generate access token. But getting the below error while running the post request for oauth2.0

Error --

{
    "error": "invalid_scope",
    "error_description": "AADSTS70011: The provided request must include a 'scope' input parameter. The provided value for the input parameter 'scope' is not valid. The scope api://f653b343-fe0a-422d-b4a8-f36346a3156b/Access.As.User is not valid.\r\nTrace ID: ce5c37f6-57c0-44f6-b265-ccc68602ba00\r\nCorrelation ID: a44a64c1-9277-40e3-b855-ee0abbe44ab6\r\nTimestamp: 2020-11-11 11:54:49Z",
    "error_codes": [
        70011
    ],
    "timestamp": "2020-11-11 11:54:49Z",
    "trace_id": "ce5c37f6-57c0-44f6-b265-ccc68602ba00",
    "correlation_id": "a44a64c1-9277-40e3-b855-ee0abbe44ab6"
}

Scopes -- Scopes In Azure But the same thing works in postman when with authorization using oauth2.0, I'm able to generate the token. Please help with the post request which fetches the bearer token from azure AD.

1
azureazure-active-directoryaccess-tokenazure-authentication
Hi @Rahul,What is the auth flow you are using?Hari Krishna
I referred to this document. docs.microsoft.com/en-us/azure/active-directory-b2c/… and the api is written as a microsoft workflow in powerapps. where in, while getting token it fails and throws the error i sent in the question.Rahul Dev
You need to pass scope in the authentication URL.can you share us the link of your authentication URLHari Krishna
URL - login.microsoftonline.com*****-*****-****-****-****/oauth2/v2.0/token Content-Type : application/x-www-form-urlencoded grant_type : client_credentialsRahul Dev
scope : api://****/Access.As.UserRahul Dev

1 Answers

1
votes

In Client credential flow the scope parameter in the request should be, Scope =api://{your-appid}/ .default (Suffix) . Please refer Ms Document that also mentions the same.

According to the screenshot you have shared all permissions assigned are delegated permissions.Since, Client credential flow only supports application permissions and this is the reason you are facing 401, unauthorized issue.Please Add the application permissions to fix this issue.