Earlybyte / aad_oauth

Flutter Azure Active Directory OAuth Package
https://pub.dev/packages/aad_oauth
MIT License
93 stars 190 forks source link

Cannot Have Multiple Resources In the Scope Parameter #328

Open Matthew-Kanderka opened 4 months ago

Matthew-Kanderka commented 4 months ago

I am trying to get consent for multiple different resources when the user logs in.

Config used:

config = Config(
  tenant: tenant,
  clientId: clientId,
  scope:
      'https://analysis.windows.net/powerbi/api/Report.Read.All https://graph.microsoft.com/Sites.Read.All',
  redirectUri: redirectUri,
  navigatorKey: navigatorKey,
  webUseRedirect: true,
);

But when a user tries to log in, the following error is returned from the MS /token call:

AADSTS28000: Provided value for the input parameter scope is not valid because it contains more than one resource. Scope https://analysis.windows.net/powerbi/api/Report.Read.All https://graph.microsoft.com/Sites.Read.All openid profile offline_access is not valid. Trace ID: de2aa854-ac14-48f8-a9f0-5a910e931b00 Correlation ID: ae8814a9-8532-4174-9f4e-d29b318cda8f Timestamp: 2024-07-17 14:42:13Z

The description of the scope parameter in the config.dart file mentions the ability to get consent for multiple web APIs, but it seems like this is not supported.

paulhwangfti commented 3 months ago

Also running into this same issue, any resolution found?

xbignell-cp commented 1 month ago

same problem here, no one found a solution? 😢

justoke commented 1 month ago

The scope parameter can be configured with spaces between the scopes, but it seems the URLs used are not what is expected. You don't mention what platform or directory you are using, but here is an example of a working Azure B2C app registration which exposes an API to signed in users.

For my Azure B2C use case, I specify the scope as follows: image

openid is configured under the API permissions of the app registration for the API image

For the Expose an API we need to define the scope image image

image