Search code examples
oauth-2.0azure-active-directorymicrosoft-graph-apionedrive

AAD v2.0: unable to use .default scope with device code flow

I'm wondering if anyone has run into this problem. I'm trying to authenticate to OneDrive using AAD v2.0, and the device code flow. My app has the following permissions configured in the Azure portal:

  • Microsoft Graph:
    • email
    • Files.ReadWrite.All
    • offline_access
    • openid
    • profile
    • User.Read

Each time I try to authenticate, I get the following error message from the token endpoint:

AADSTS70011: The provided value for the input parameter 'scope' is not valid. One or more scopes in 'https://graph.microsoft.com/.default openid offline_access' are not compatible with each other.

However, when I use the usual authorization code flow, it works. Similarly, if I use the scope https://graph.microsoft.com/Files.ReadWrite.All openid offline_access instead of https://graph.microsoft.com/.default openid offline_access, it also works.

Is there something about the .default scope that is incompatible with the device code flow?

More info:

The app can be used by "Accounts in any organizational directory (Any Azure AD directory - Multitenant) and personal Microsoft accounts (e.g. Skype, Xbox)". I'm authenticating to the "consumers" tenant because I want to access my personal OneDrive.

Solution

  • Just remove openid offline_access from the scope, it should be https://graph.microsoft.com/.default, when you use /.default, they are not needed, all permissions registered by the application will be included.

    Reference - https://learn.microsoft.com/en-us/azure/active-directory/develop/v2-permissions-and-consent#the-default-scope

    enter image description here

    Update:

    I can reproduce your issue with /consumers and a personal account in the auth url, if I modify it to /<tenant-id>, it works fine, you could refer to the steps below.

    1.In the postman, use the request below.

    Request URL:

    POST https://login.microsoftonline.com/<tenant-id>/oauth2/v2.0/devicecode

    Request Body:

    client_id=<client-id>
scope=https://graph.microsoft.com/.default

    enter image description here

    2.In the browser, navigate to the https://microsoft.com/devicelogin, input the code and login your user account, the app will let you consent the permission, click the Accept.

    enter image description here

    3.After login successfully, in the postman, use the request below.

    Request URL:

    POST https://login.microsoftonline.com/<tenant-id>/oauth2/v2.0/token

    Request Body:

    grant_type: urn:ietf:params:oauth:grant-type:device_code
client_id: <client-id>
device_code: <device_code in the screenshot of step 1>

    enter image description here