microsoft-authentication-library-for-objc icon indicating copy to clipboard operation
microsoft-authentication-library-for-objc copied to clipboard

Published 20 hours ago verified publisher icon AzureAD

Server returned less scopes than requested

Open Halfpint-Code opened this issue 4 years ago • 9 comments

Hello, Implemented MSAL in our app. I am getting the error:

[b2cApplication acquireTokenWithParameters:interactiveParams: completionBlock:]

(lldb) po error 2020-03-04 09:18:27.431739-0600 RemoteInventory[4479:4223872] XPC connection interrupted Error Domain=MSALErrorDomain Code=-50003 "(null)" UserInfo={MSALDeclinedScopesKey=( "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx" ), MSALGrantedScopesKey=( "/" ), MSALErrorDescriptionKey=Server returned less scopes than requested, MSALInvalidResultKey=<MSALResult: 0x1c02adb00>}

Myself and our backend developer have both looked into this a little. We found the following link but not sure it helps. https://github.com/AzureAD/microsoft-authentication-library-for-objc/issues/393

I added the error handling when the error happens to try to grab the token silently with the granted scopes as suggested in another link, but there are no granted scopes and it fails again.

Do you know of any settings off-hand that might be affecting this that we should look into?

We are currently using com.microsoft.aad:adal:2.0.1-alpha with no issues right now. If we can get this working on iOS with MSAL, I believe we will likely be updating that as well for consistency.

Thanks

Halfpint-Code avatar Mar 09 '20 14:03 Halfpint-Code

Yes, this issue seems related to the issue you linked. When requesting a token from MSAL for B2C, you need to make sure you're passing a valid scope that is registered in your tenant. Can you please let us know what kind of scopes are you providing to MSAL in your request?

oldalton avatar Mar 09 '20 18:03 oldalton

FWIW i'm running into the same issue trying to get this to work in a scenario where we're only using it for identity and only passing the clientId for scopes. We get a good response from the server with access token and id token but the scope returned from b2c is "/".

sudolibre avatar Mar 09 '20 18:03 sudolibre

@oldalton Thanks for the reply, we are providing only the clientID as the current scope. This worked when we were using ADALiOS and currently works on the Android ADAL I mentioned earlier. So I assume this is a valid scope.

Halfpint-Code avatar Mar 09 '20 18:03 Halfpint-Code

A workaround seems to be going to Applications (not App Registrations (Preview)) and adding a dummy scope to published scopes then adding the scope you just created in the API Access menu option right above published scopes. In the app remove the client id from scopes and add the Full Scope Value from the published scope you just created.

sudolibre avatar Mar 09 '20 19:03 sudolibre

We are tracking a similar feature gap here: https://github.com/AzureAD/microsoft-authentication-library-for-objc/issues/852. And yes, adding a scope should resolve it since MSAL tries to validate whether it received all scopes that app requested in the response or not.

oldalton avatar Mar 10 '20 17:03 oldalton

Thanks for the info. We are going to look into the workaround and see if we can get that working.

Halfpint-Code avatar Mar 10 '20 18:03 Halfpint-Code

Hi @Halfpint-Code, did you have a chance to take a look at this issue?

antrix1989 avatar Mar 16 '20 17:03 antrix1989

Yes, we did last Friday. We were able to get a token that works back by using the workaround provided by sudolibre. I have been working today to try to rebuild our methods for logging in based on the new framework. Thanks.

Was curious though, this was added to that feature gap. Does that mean the workaround will break if this gets fixed in a future update?

Halfpint-Code avatar Mar 16 '20 17:03 Halfpint-Code

Thanks for confirming. This workaround will continue working in future version of the library.

antrix1989 avatar Mar 16 '20 17:03 antrix1989