search

Azure-Samples / ms-identity-java-webapp

A Java web application calling Microsoft graph that is secured using the Microsoft identity platform
MIT License
118 stars 105 forks source link

How to add url infomation in the scope parameter in an authentication request #58

Closed yiliuTo closed 3 years ago

yiliuTo commented 3 years ago

I am running the msal-java-webapp-sample, and it can work well with instructions from the README.md. However, when I modify the scope parameter (the code I modified is here in the authentication request from null to an API permission, like https://graph.microsoft.com/Analytics.Read (here all the permissions haven't not been consented before), then the sample will keep redirecting to the login page to ask to fill in login info. And if I remove the resource url and set the scope as Analytics.Read then it can work well.

I did the same thing in the AuthPageController.java (here are the code I modified, place 1 and place 2), and I got the error of AADSTS65001: The user or administrator has not consented to use the application with ID xxxxxxxxxxxxxxx.

So I want to know that if the library supports specifying url for scope and if it does, how should I do so?

Besides, I am testing the feature of this library that how it supports allowing consenting to scopes from mulithple resources and then acquire access tokens from each resource silently, so I need the url info for scopes.

sangonzal commented 3 years ago

@yiliuTo Are you testing on with an app registration on Microsoft tenant on your ow personal test tenant? If it's on the Microsoft tenant, then you might be getting AADSTS65001: The user or administrator has not consented to use the application with ID xxxxxxxxxxxxxxx because the scope you are requesting needs admin approval, which you can't give on the Microsoft tenant.

"So I want to know that if the library supports specifying url for scope and if it does, how should I do so?" - I think here what you mean is using https://graph.microsoft.com/Analytics.Read vs Analytics.Read. I believe only the analytics.Read with would work with MSAL. MSAL supports scopes, not resources (difference in between the AAD v1 and v2 endpoints).

"Besides, I am testing the feature of this library that how it supports allowing consenting to scopes from mulithple resources and then acquire access tokens from each resource silently, so I need the url info for scopes." - I think this should work by just passing in the scopes. You should pass in scopes for one resource into scopes parameter, and pass in scopes for extra resources in extraScopesToConsent parameter. Is this not working for you?