Scope has changed from "openid profile email" to "openid email User.Read profile".

[brenspi]

Good evening I'm having issues when trying to use the django_microsoft_auth. Upon selecting the microsoft user to login I'm getting the below error during POST request.

Environment:

Request Method: POST Request URL: http://localhost:8000/microsoft/auth-callback/

Django Version: 3.0.4 Python Version: 3.8.2 Installed Applications: ['django.contrib.admin', 'django.contrib.auth', 'django.contrib.contenttypes', 'django.contrib.sessions', 'django.contrib.messages', 'django.contrib.staticfiles', 'homepage', 'financerecords', 'financetransaction', 'easy_thumbnails', 'image_cropping', 'bootstrap4', 'bootstrap_datepicker_plus', 'django_cleanup', 'django.contrib.sites', 'microsoft_auth'] Installed Middleware: ['django.middleware.security.SecurityMiddleware', 'django.contrib.sessions.middleware.SessionMiddleware', 'django.middleware.common.CommonMiddleware', 'django.middleware.csrf.CsrfViewMiddleware', 'django.contrib.auth.middleware.AuthenticationMiddleware', 'django.contrib.messages.middleware.MessageMiddleware', 'django.middleware.clickjacking.XFrameOptionsMiddleware']

Traceback (most recent call last): File "C:\Users\bren_\PycharmProjects\SZPMSite\venv\lib\site-packages\django\core\handlers\exception.py", line 34, in inner response = getresponse(request) File "C:\Users\bren\PycharmProjects\SZPMSite\venv\lib\site-packages\django\core\handlers\base.py", line 115, in _get_response response = self.process_exception_bymiddleware(e, request) File "C:\Users\bren\PycharmProjects\SZPMSite\venv\lib\site-packages\django\core\handlers\base.py", line 113, in _get_response response = wrapped_callback(request, *callback_args, callbackkwargs) File "C:\Users\bren\PycharmProjects\SZPMSite\venv\lib\site-packages\django\views\generic\base.py", line 71, in view return self.dispatch(request, *args, *kwargs) File "C:\Users\bren_\PycharmProjects\SZPMSite\venv\lib\site-packages\django\utils\decorators.py", line 43, in _wrapper return bound_method(args, kwargs) File "C:\Users\bren_\PycharmProjects\SZPMSite\venv\lib\site-packages\django\views\decorators\csrf.py", line 54, in wrapped_view return viewfunc(*args, **kwargs) File "C:\Users\bren\PycharmProjects\SZPMSite\venv\lib\site-packages\microsoftauth\views.py", line 47, in dispatch return super().dispatch(request, *args, **kwargs) File "C:\Users\bren\PycharmProjects\SZPMSite\venv\lib\site-packages\django\views\generic\base.py", line 97, in dispatch return handler(request, *args, kwargs) File "C:\Users\bren_\PycharmProjects\SZPMSite\venv\lib\site-packages\microsoft_auth\views.py", line 145, in post context = self.get_context_data(request.POST.dict()) File "C:\Users\bren_\PycharmProjects\SZPMSite\venv\lib\site-packages\microsoft_auth\views.py", line 68, in get_context_data self.authenticate(kwargs.get("code")) File "C:\Users\bren\PycharmProjects\SZPMSite\venv\lib\site-packages\microsoft_auth\views.py", line 129, in authenticate user = authenticate(self.request, code=code) File "C:\Users\bren\PycharmProjects\SZPMSite\venv\lib\site-packages\django\contrib\auth__init_.py", line 72, in authenticate user = backend.authenticate(request, **credentials) File "C:\Users\bren\PycharmProjects\SZPMSite\venv\lib\site-packages\microsoft_auth\backends.py", line 43, in authenticate token = self.microsoft.fetchtoken(code=code) File "C:\Users\bren\PycharmProjects\SZPMSite\venv\lib\site-packages\microsoft_auth\client.py", line 169, in fetch_token return super().fetchtoken( # pragma: no cover File "C:\Users\bren\PycharmProjects\SZPMSite\venv\lib\site-packages\requests_oauthlib\oauth2_session.py", line 360, in fetch_token self._client.parse_request_bodyresponse(r.text, scope=self.scope) File "C:\Users\bren\PycharmProjects\SZPMSite\venv\lib\site-packages\oauthlib\oauth2\rfc6749\clients\base.py", line 421, in parse_request_body_response self.token = parse_tokenresponse(body, scope=scope) File "C:\Users\bren\PycharmProjects\SZPMSite\venv\lib\site-packages\oauthlib\oauth2\rfc6749\parameters.py", line 431, in parse_token_response validate_tokenparameters(params) File "C:\Users\bren\PycharmProjects\SZPMSite\venv\lib\site-packages\oauthlib\oauth2\rfc6749\parameters.py", line 461, in validate_token_parameters raise w

Exception Type: Warning at /microsoft/auth-callback/ Exception Value: Scope has changed from "openid profile email" to "openid email User.Read profile".

In settings.py in Django I'm including: MICROSOFT_AUTH_CLIENT_ID MICROSOFT_AUTH_TENANT_ID MICROSOFT_AUTH_CLIENT_SECRET MICROSOFT_AUTH_LOGIN_TYPE = 'ma'

In templates - Options - context_processors I'm including 'microsoft_auth.context_processors.microsoft',

and in the Installed APPS I'm including the 'django.contrib.sites', 'microsoft_auth',

I'm quite new to django and authentication with Microsoft, so can you kindly advise what I'm doing wrong?

Thanks

[clreinki]

I am also having this issue. Running 2.3.1

[LarryMartell]

I am also getting this same message.

[LarryMartell]

I found the error is coming from oauthlib and by commenting out the call to validate_token_parameters I can get this to work. Obviously that is not a good solution.

[clreinki]

I was able to solve this problem by adding the following environment variables in my settings.py:

os.environ['OAUTHLIB_RELAX_TOKEN_SCOPE'] = '1' os.environ['OAUTHLIB_IGNORE_SCOPE_CHANGE'] = '1'

I don't know the "correct" way to fix the problem but that got things working for me without having to mess with the code.

[LarryMartell]

This appears to work. Thanks!

[jashanbhoora]

The correct way to fix it is to set MICROSOFT_AUTH_EXTRA_SCOPES = "User.Read" in your Django settings, and make sure that the appropriate API permissions are set under under your app registration in AAD. https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-permissions-and-consent