retrieving token with multiple scopes (including delegated permission) not working

[thomas-topway-it]

Hello I'm trying to retrieve a token using delegated permission, like this

[
"api://[app-registration-client-id]/user_impersonation"
]

and it works, but when I use the following

[
'openid',
 'Mail.Read',
  'offline_access',
   'email',
"api://[app-registration-client-id]/user_impersonation"
]

it does not work. I have also tried the following

[
'api://[app-registration-client-id]/openid',
 'api://[app-registration-client-id]/Mail.Read',
  'api://[app-registration-client-id]/offline_access',
   'api://[app-registration-client-id]/email',
"api://[app-registration-client-id]/user_impersonation"
]

assigning all the related scopes to the "authorized client application"
but it does not work either.

I have found the following ticket

#865

which indicates a workaround about that, but I'm not sure it is applicable to the new version of the portal.

How can I solve that with the new version of the portal ? (*** the issue also occurs using msal 1.1.15)

thanks
(Thomas)

[hieunguyenmsft]

@thomas-topway-it: do you have the same error as in #865? In case you have a different error, could you please share its detail?
Thank you.

[thomas-topway-it]

@hieunguyenmsft
the problem is that the following
#865 (comment)
is not applicable to my azure account.

I will send you the log as soon as possible, currently
I have been able to use the form

'openid',
 'Mail.Read',
  'offline_access',
   'email',

both on ios and android, but indeed I need to retrieve the log and to ensure the http request is precisely the same, because, in the same flutter app, the flow seems to behave differently.

I already proposed the following somewhere else, but don't you think it would be worth for your team to contribute to a reliable flutter plugin for msal, given that the current libraries are poorly maintained or not maintained at all, and the growing interest for flutter ?

I think most of the issues depend from the libraries rather than to msal itself (but, please, don't put yet the "external" label to this thread) and that negatively impact the msal library as well
(Thomas)

[hieunguyenmsft]

Supporting for a new language is great as it can bring MSAL to more people, but in another hand our resource is limited, and we don't have experience with Flutter. I will forward the ask to my manager to see what we can do with it.
Back to your issue, testing these scopes with native obj-c MSAL should be fine, so as you said, there would be a chance problem is in the flutter library.
If you have the log file to share, we might find out more about which step failed.
Thank you.

[antrix1989]

Please reopen once you get logs.

[hkozlovskyi]

Hi,
Receiving the same issue when I'm trying to combine scopes.
["API scope"] - works
["email", "API scope"] - doesn't works

Could you assist with that?
The error which I received said that "Server returned less scopes than requested" and MSALGrantedScopesKey = ["API scope"]

Thanks

[hieunguyenmsft]

Sure @hkozlovskyi I'm happy to help. Could you please clarify your current setup:

• Which version MSAL are you using.
• MSAL log file, if possible? Please follow this link for more info how to collect log.
  thank you.

[hkozlovskyi]

Hi @hieunguyenmsft
Sure, here is

• MSAL version 1.1.17

`MSAL log: TID=2529955 MSAL 1.1.17 iOS 14.5.1 [2021-05-12 20:47:21] Requiring default broker type due to app being built with iOS 13 SDK
MSAL log: TID=2529955 MSAL 1.1.17 iOS 14.5.1 [2021-05-12 20:47:21 - B1EF3419-09C6-4EA2-8797-99A09ED4A90E] [MSAL] -[MSALPublicClientApplication acquireTokenWithParameters:(
email,
"api:///access_as_user"
)
extraScopesToConsent:(null)
account:Masked(null)
loginHint:Masked(null)
promptType:MSALPromptTypeConsent
extraQueryParameters:(null)
authority:(null)
webviewType:MSALWebviewTypeDefault
customWebview:No
correlationId:(null)
capabilities:(null)
claimsRequest:(null)]
MSAL log: TID=2529955 MSAL 1.1.17 iOS 14.5.1 [2021-05-12 20:47:21 - B1EF3419-09C6-4EA2-8797-99A09ED4A90E] [MSAL] Checking broker install state for version V2-broker-nonce
2021-05-12 23:47:21.389188+0300 Humboldt[10280:2529955] -canOpenURL: failed for URL: "msauthv2://broker" - error: "The operation couldn’t be completed. (OSStatus error -10814.)"
MSAL log: TID=2529955 MSAL 1.1.17 iOS 14.5.1 [2021-05-12 20:47:21] Scheme msauthv2 for broker not present
MSAL log: TID=2529955 MSAL 1.1.17 iOS 14.5.1 [2021-05-12 20:47:21 - B1EF3419-09C6-4EA2-8797-99A09ED4A90E] [MSAL] Beginning interactive flow.
MSAL log: TID=2529955 MSAL 1.1.17 iOS 14.5.1 [2021-05-12 20:47:21] Start background app task with type 0
MSAL log: TID=2529955 MSAL 1.1.17 iOS 14.5.1 [2021-05-12 20:47:21 - B1EF3419-09C6-4EA2-8797-99A09ED4A90E] [MSAL] Resolving authority: Masked(not-null), upn: Masked(null)
MSAL log: TID=2530168 MSAL 1.1.17 iOS 14.5.1 [2021-05-12 20:47:21 - B1EF3419-09C6-4EA2-8797-99A09ED4A90E] [MSAL] No cached preferred_network for authority
MSAL log: TID=2530168 MSAL 1.1.17 iOS 14.5.1 [2021-05-12 20:47:21 - B1EF3419-09C6-4EA2-8797-99A09ED4A90E] [MSAL] Waiting on Authority Validation Queue
2021-05-12 23:47:21.718916+0300 Humboldt[10280:2530163] [tcp] tcp_input [C2.2.1:3] flags=[R.] seq=383495886, ack=2289237072, win=0 state=FIN_WAIT_1 rcv_nxt=383495886, snd_una=2289237071
MSAL log: TID=2530161 MSAL 1.1.17 iOS 14.5.1 [2021-05-12 20:47:21 - B1EF3419-09C6-4EA2-8797-99A09ED4A90E] [MSAL] Caching AAD Environements
MSAL log: TID=2530161 MSAL 1.1.17 iOS 14.5.1 [2021-05-12 20:47:21 - B1EF3419-09C6-4EA2-8797-99A09ED4A90E] [MSAL] networkHost: login.microsoftonline.com, cacheHost: login.windows.net, aliases: login.microsoftonline.com, login.windows.net, login.microsoft.com, sts.windows.net
MSAL log: TID=2530161 MSAL 1.1.17 iOS 14.5.1 [2021-05-12 20:47:21 - B1EF3419-09C6-4EA2-8797-99A09ED4A90E] [MSAL] networkHost: login.partner.microsoftonline.cn, cacheHost: login.partner.microsoftonline.cn, aliases: login.partner.microsoftonline.cn, login.chinacloudapi.cn
MSAL log: TID=2530161 MSAL 1.1.17 iOS 14.5.1 [2021-05-12 20:47:21 - B1EF3419-09C6-4EA2-8797-99A09ED4A90E] [MSAL] networkHost: login.microsoftonline.de, cacheHost: login.microsoftonline.de, aliases: login.microsoftonline.de
MSAL log: TID=2530161 MSAL 1.1.17 iOS 14.5.1 [2021-05-12 20:47:21 - B1EF3419-09C6-4EA2-8797-99A09ED4A90E] [MSAL] networkHost: login.microsoftonline.us, cacheHost: login.microsoftonline.us, aliases: login.microsoftonline.us, login.usgovcloudapi.net
MSAL log: TID=2530161 MSAL 1.1.17 iOS 14.5.1 [2021-05-12 20:47:21 - B1EF3419-09C6-4EA2-8797-99A09ED4A90E] [MSAL] networkHost: login-us.microsoftonline.com, cacheHost: login-us.microsoftonline.com, aliases: login-us.microsoftonline.com
MSAL log: TID=2530161 MSAL 1.1.17 iOS 14.5.1 [2021-05-12 20:47:21 - B1EF3419-09C6-4EA2-8797-99A09ED4A90E] [MSAL] Resolved authority, validated: YES, error: 0
MSAL log: TID=2530168 MSAL 1.1.17 iOS 14.5.1 [2021-05-12 20:47:21 - B1EF3419-09C6-4EA2-8797-99A09ED4A90E] [MSAL] Returned from Authority Validation Queue
MSAL log: TID=2529955 MSAL 1.1.17 iOS 14.5.1 [2021-05-12 20:47:43 - B1EF3419-09C6-4EA2-8797-99A09ED4A90E] [MSAL] Enrollment id read from intune cache : (null).
MSAL log: TID=2530162 MSAL 1.1.17 iOS 14.5.1 [2021-05-12 20:47:44] Stop background task with type 0
MSAL log: TID=2530162 MSAL 1.1.17 iOS 14.5.1 [2021-05-12 20:47:44 - B1EF3419-09C6-4EA2-8797-99A09ED4A90E] [MSAL] Validate and save token response...
MSAL log: TID=2530162 MSAL 1.1.17 iOS 14.5.1 [2021-05-12 20:47:44] Enrollment id read from intune cache : (null).
MSAL log: TID=2530162 MSAL 1.1.17 iOS 14.5.1 [2021-05-12 20:47:44 - B1EF3419-09C6-4EA2-8797-99A09ED4A90E] [MSAL] Keychain find status: -25300
MSAL log: TID=2530162 MSAL 1.1.17 iOS 14.5.1 [2021-05-12 20:47:44 - B1EF3419-09C6-4EA2-8797-99A09ED4A90E] [MSAL] Found no metadata item.
MSAL log: TID=2530162 MSAL 1.1.17 iOS 14.5.1 [2021-05-12 20:47:44 - B1EF3419-09C6-4EA2-8797-99A09ED4A90E] [MSAL] Saving token response, only save SSO state 0
MSAL log: TID=2530162 MSAL 1.1.17 iOS 14.5.1 [2021-05-12 20:47:44 - B1EF3419-09C6-4EA2-8797-99A09ED4A90E] [MSAL] (Default accessor) Saving multi resource refresh token
MSAL log: TID=2530162 MSAL 1.1.17 iOS 14.5.1 [2021-05-12 20:47:44] Enrollment id read from intune cache : (null).
MSAL log: TID=2530162 MSAL 1.1.17 iOS 14.5.1 [2021-05-12 20:47:44 - B1EF3419-09C6-4EA2-8797-99A09ED4A90E] [MSAL] (Default cache) Removing credentials with type AccessToken, environment login.windows.net, realm 9188040d-6c67-4c5b-b112-36a304b66dad, clientID , unique user ID e40703bc, target api:///access_as_user
MSAL log: TID=2530162 MSAL 1.1.17 iOS 14.5.1 [2021-05-12 20:47:44 - B1EF3419-09C6-4EA2-8797-99A09ED4A90E] [MSAL] (MSIDAccountCredentialCache) retrieving cached credentials using credential query
MSAL log: TID=2530162 MSAL 1.1.17 iOS 14.5.1 [2021-05-12 20:47:44 - B1EF3419-09C6-4EA2-8797-99A09ED4A90E] [MSAL] Keychain find status: -25300
MSAL log: TID=2530162 MSAL 1.1.17 iOS 14.5.1 [2021-05-12 20:47:44 - B1EF3419-09C6-4EA2-8797-99A09ED4A90E] [MSAL] (MSIDAccountCredentialCache) retrieved 0 cached credentials
MSAL log: TID=2530162 MSAL 1.1.17 iOS 14.5.1 [2021-05-12 20:47:44 - B1EF3419-09C6-4EA2-8797-99A09ED4A90E] [MSAL] (MSIDAccountCredentialCache) credential query requires exact match with the cached credential items. Performing additional filtering checks.
MSAL log: TID=2530162 MSAL 1.1.17 iOS 14.5.1 [2021-05-12 20:47:44 - B1EF3419-09C6-4EA2-8797-99A09ED4A90E] [MSAL] (MSIDAccountCredentialCache) returning 0 filtered credentials
MSAL log: TID=2530162 MSAL 1.1.17 iOS 14.5.1 [2021-05-12 20:47:44 - B1EF3419-09C6-4EA2-8797-99A09ED4A90E] [MSAL] Saving keychain item, item info Masked(not-null)
MSAL log: TID=2530162 MSAL 1.1.17 iOS 14.5.1 [2021-05-12 20:47:44 - B1EF3419-09C6-4EA2-8797-99A09ED4A90E] [MSAL] Saving keychain item, item info Masked(not-null)
MSAL log: TID=2530162 MSAL 1.1.17 iOS 14.5.1 [2021-05-12 20:47:44 - B1EF3419-09C6-4EA2-8797-99A09ED4A90E] [MSAL] Saving keychain item, item info Masked(not-null)
MSAL log: TID=2530162 MSAL 1.1.17 iOS 14.5.1 [2021-05-12 20:47:44 - B1EF3419-09C6-4EA2-8797-99A09ED4A90E] [MSAL] Keychain find status: -25300
MSAL log: TID=2530162 MSAL 1.1.17 iOS 14.5.1 [2021-05-12 20:47:44 - B1EF3419-09C6-4EA2-8797-99A09ED4A90E] [MSAL] Saving keychain item, item info Masked(not-null)
MSAL log: TID=2530162 MSAL 1.1.17 iOS 14.5.1 [2021-05-12 20:47:44 - B1EF3419-09C6-4EA2-8797-99A09ED4A90E] Server returned less scopes than requested, granted scopes: {(
"api:///access_as_user"
)}
MSAL log: TID=2530162 MSAL 1.1.17 iOS 14.5.1 [2021-05-12 20:47:44 - B1EF3419-09C6-4EA2-8797-99A09ED4A90E] Removing reserved scopes from granted scopes: {(
openid,
profile,
"offline_access"
)}
MSAL log: TID=2530162 MSAL 1.1.17 iOS 14.5.1 [2021-05-12 20:47:44 - B1EF3419-09C6-4EA2-8797-99A09ED4A90E] Final granted scopes: {(
"api://*******/access_as_user"
)}
MSAL log: TID=2530162 MSAL 1.1.17 iOS 14.5.1 [2021-05-12 20:47:44 - B1EF3419-09C6-4EA2-8797-99A09ED4A90E] [MSAL] Interactive flow finished. Result (null), error: -51415 error domain: MSIDOAuthErrorDomain
MSAL log: TID=2530162 MSAL 1.1.17 iOS 14.5.1 [2021-05-12 20:47:44] Parsing result access token
MSAL log: TID=2530162 MSAL 1.1.17 iOS 14.5.1 [2021-05-12 20:47:44 - B1EF3419-09C6-4EA2-8797-99A09ED4A90E] [MSAL] acquireToken returning with error: (MSALErrorDomain, -50003) Masked(not-null)
The operation couldn’t be completed. (MSALErrorDomain error -50003.)
(lldb) po error
▿ Optional

• some : Error Domain=MSALErrorDomain Code=-50003 "(null)" UserInfo={MSALDeclinedScopesKey=(
  email
  ), MSALGrantedScopesKey=(
  "api://**********/access_as_user"
  ), MSALErrorDescriptionKey=Server returned less scopes than requested, MSALCorrelationIDKey=B1EF3419-09C6-4EA2-8797-99A09ED4A90E, MSALInvalidResultKey=<MSALResult: 0x280a76450>}

Error: Cannot acquire token`

[hieunguyenmsft]

Hi @hkozlovskyi, I checked with our server team and the problem is in the scope content {email, "api:///access_as_user"}.
One token can only be issued to one audience. In this case we have 'email' audience is MS Graph, and your customized scope "api:///access_as_user" is for your API, so the token returned from server contains less scope than in the request.
In this case, you need 2 separate tokens.
I'm going to close it for now, feel free to reopen if you have any question.
Thank you.

[hkozlovskyi]

Hi @hieunguyenmsft
Thanks for the answer. But the problem that I need to provide access for the API scope and also receive token which will include email, based on your answer it looks like that I'm unable to do that. Is there any other way to do that? Maybe you could help with that question.
As for now, as a workaround, I'm asking the user two times to acquireToken with different scopes, one with MS Graph and the second one with Api Scope.

Thank you!

[hieunguyenmsft]

As far as I know, there is no workaround for that. I'm not sure if server has the plan to support multiple audiences from one token in the future. If any news, I will update you via this ticket :)

[ameyapat]

@hkozlovskyi Maybe you can add email as an optional scope to idToken : https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-optional-claims#configuring-optional-claims

[hkozlovskyi]

@hieunguyenmsft thanks for your help.

@ameyapat will try, thank you!