[Bug] AADSTS90009 - Githubissues

AzureAD / microsoft-authentication-library-for-java

Microsoft Authentication Library (MSAL) for Java http://aka.ms/aadv2

MIT License

282 stars 137 forks source link

[Bug] AADSTS90009 #735

Closed Ambition-Cc closed 8 months ago

Ambition-Cc commented 9 months ago

Library version used

1.13.8

Java version

openjdk1.8

Scenario

PublicClient (AcquireTokenInteractive, AcquireTokenByUsernamePassword)

Is this a new or an existing app?

This is a new app or experiment

Issue description and reproduction steps

When we trying to get token by userName and password. We got this exception com.microsoft.aad.msal4j.MsalServiceException: AADSTS90009: Application 'XXXXXXXXX'(XXXXXXXX) is requesting a token for itself. This scenario is supported only if resource is specified using the GUID based App Identifier. Could you please help me with this. Thank you!

Relevant code snippets

No response

Expected behavior

No response

Identity provider

Microsoft Entra ID (Work and School accounts and Personal Microsoft accounts)

Regression

No response

Solution and workarounds

No response

bgavrilMS commented 8 months ago

Have a look here https://stackoverflow.com/questions/42006468/oauth-2-0-and-azure-active-directory-error-aadsts90009

Ambition-Cc commented 8 months ago

@bgavrilMS Sir, thank you for replying. However, I am trying to get token by Java code and I think there is no parameter names resource.

Avery-Dunn commented 8 months ago

Hello @Ambition-Cc : That "AADSTS90009" is coming from the token service (MSAL Java just forwards the error message), which means this is likely a configuration issue.

After testing it a bit it seems like you might not be able to get certain scopes with an exposed API for the same app you're using to request the token ("requesting a token for itself" from the error). I tried using 'api://client_id/.default' as the scope and got the same error you did, however if I set up a custom scope I could get a token without issue.

Try using just ".default" as the scope instead of "api://client_id/.default", as long as account permissions are set up right that should work. I believe those APIs you can set up are more intended for web app scenarios, and if you are making a web app you can check out our web API sample which involves setting them up to call Graph: https://github.com/Azure-Samples/ms-identity-msal-java-samples/tree/main/1-server-side/msal-web-api-sample

Ambition-Cc commented 8 months ago

Thank you so much @Avery-Dunn I will have a try tomorrow as you said and give you feedback.

Ambition-Cc commented 8 months ago

@Avery-Dunn Thank you so much for your help. That really work!