AADSTS500011 , inserting scope in azure authentication returns error

Question

I am currently trying to verify an access token generated using msal python.

I created my ConfidentialClientApplication like this

app = ConfidentialClientApplication(
    "<client_id>", #client id
    authority="https://login.microsoftonline.com/<tenant_iD>",
    client_credential="<client_secret>",
    token_cache=cache)

Then i try to create my access token like this

result = app.acquire_token_for_client(scopes=["<scope>/.default"])

The scope has been exposed on azure portal under "Expose an API" for the resource and has been added by the client under the "API permissions".

if i do not include the scope name , Tokens are generated just fine.

However, I looked at other examples and i notice some people use their scope together with the scope name

eg : api://<application_uri>/USER.READ as opposed to just the application uri like api://<application_uri>

When i use api://<application_uri>/USER.READ in the scope, i get this error instead

{'error': 'invalid_resource', 'error_description': 'AADSTS500011: The resource principal named api://<application_uri>/USER.READWRITE was not found in the tenant named <tenant name>. This can happen if the application has not been installed by the administrator of the tenant or consented to by any user in the tenant. You might have sent your authentication request to the wrong tenant.\r\nTrace ID: 64697571-81b1-4d6c-bd61-fa69c7c97700\r\nCorrelation ID: 3bbc9c0f-39d1-4ca3-b15e-918a10391924\r\nTimestamp: 2023-05-02 07:30:44Z', 'error_codes': [500011], 'timestamp': '2023-05-02 07:30:44Z', 'trace_id': '64697571-81b1-4d6c-bd61-fa69c7c97700', 'correlation_id': '3bbc9c0f-39d1-4ca3-b15e-918a10391924', 'error_uri': 'https://login.microsoftonline.com/error?code=500011'}
cache <msal.token_cache.SerializableTokenCache object at 0x000001946C97FFD0>

I have been trying to look for answers for weeks now, anyone can help?

Answer 1

Note that: Client Credentials flow requires Application API permissions. Delegated API permissions are passed while using user interactive flow such as Authorization Code flow etc.

While using Client Credentials flow you have to make use of /.default or when using v1 endpoint use api://ClientID.

The error AADSTS500011 usually occurs if you are passing invalid resource like below:

resource: api://ClientID/user.read

I created an Azure AD Application and added API permissions like below:

When expose an API is done and added scope it is taken as delegated API permission.

Now, I generated access token using below parameters:

https://login.microsoftonline.com/TenantID/oauth2/token

client_id:ClientID
client_secret:ClientSecret
resource:api://ID
grant_type:client_credentials

When I decoded the token, the aud is api://xxx but scope isn't displayed as delegated API permission been passed in Client Credential flow:

Hence, to resolve the issue create App roles like below:

Add the App role to the API permissions blade like below:

I generated the access token in Postman via Client Credential flow:

resource: api://ClientID

When I decoded the token, the app role is successfully displayed like below:

• I generated access token using Authorization code flow like below:

https://login.microsoftonline.com/TenantID/oauth2/token

client_id:ClientID
grant_type:authorization_code
scope:api://xxx/User.Read
code:code
redirect_uri:https://jwt.ms
client_secret:ClientSecret

When I decoded the token, the delegated scope displayed successfully like below:

Reference:

MSAL Python 1.22.0 documentation (msal-python.readthedocs.io)