Blazor MSAL not requesting scopes
I've got a Blazor WASM app with .NET 7 and I'm using Azure AD with a public (multi-tenant) app registration. I'm trying to request a scope so that I can authenticate against an API. But it doesn't request include the requested scopes during authentication.
Here is my appsettings.json:
{
"AzureAd": {
"Authority": "https://login.microsoftonline.com/common",
"ClientId": "[My Balzor app client ID]",
"ValidateAuthority": true,
"Scopes": "openid email profile offline_access api://[My API app client ID]/user_read"
}
}
In Program.cs I'm configuring this here:
builder.Services.AddMsalAuthentication(options =>
{
builder.Configuration.Bind("AzureAd", options.ProviderOptions.Authentication);
});
I've also tried adding it explicitly:
builder.Services.AddMsalAuthentication(options =>
{
builder.Configuration.Bind("AzureAd", options.ProviderOptions.Authentication);
options.ProviderOptions.AdditionalScopesToConsent.Add("api://[My API app clinet ID]/user_read");
});
However, these scopes are never requested from AAD. The URI only ever includes openid, profile, and offline_access.
Why is my additional scope not requested? How do I fix this?
Your Scopes property is being ignored, because you are binding your "AzureAd" appsettings section to options.ProviderOptions.Authentication.
And options.ProviderOptions.Authentication is of type Microsoft.Authentication.WebAssembly.Msal.MsalAuthenticationOptions which does not include the property DefaultAccessTokenScopes or Scopes.
The DefaultAccessTokenScopes property (of type IList string) is a sibling to the Authentication property on the Microsoft.Authentication.WebAssembly.Msal.Models.MsalProviderOptions class.
Thus if you restructure your AzureAd section slightly to take into account the MsalProviderOptions structure, it should all bind correctly without having to call options.ProviderOptions.DefaultAccessTokenScopes.Add() manually in the Program.cs.
{
"AzureAd": {
"Authentication": {
"Authority": "https://login.microsoftonline.com/common",
"ClientId": "[My Balzor app client ID]",
"ValidateAuthority": "true"
},
"DefaultAccessTokenScopes": ["api://[My API app client ID]/user_read", "..."]
}
}
And then your Program.cs can be updated as follows:
builder.Services.AddMsalAuthentication(options =>
{
builder.Configuration.Bind("AzureAd", options.ProviderOptions);
});
- Access Sharepoint Online Files from .NET Worker Service via Microsoft Graph/OAuth - Unauthorized or Access Denied error (401)
- Get-RemoteDomain in powershell exchange online error : The term 'Get-RemoteDomain' is not recognized as the name of a cmdlet
- Is there a query to run so I can get a list of users who has NOT logged in, in the past 30 days?
- Azure Storage accounts container public access level has dissabled
- How to get "exp" from jwt token and compare with it current time to check if token is expired
- How to refresh client assertion in ConfidentialClientApplication?
- Enforce MFA for specific API called from SPFx via AADTokenProvider (Even with SPO MFA)
- How to extract TLS 1.X of all app services/web app running Azure
- Why Can't I See Roles Assigned to an App Registration in Azure?
- Connect C# ASP.NET Core web app to Microsoft Graph calendar
- Is there a way to find out all users of a particular group in AzureAD?
- MSAL Redirect on Failure AADSTS50105
- Microsoft Power BI REST API PowerBINotAuthorizedException
- AzureAD SAML SSO through AWS Cognito - doesn't match requested authentication method
- How to get username after logged in?.I am trying with MSAL (@azure/msal-angular) for Azure Signin
- Display all the user's files using Microsoft Graph API not working
- Get Access Token from Microsoft Graph for ClientId with delegated permissions
- How to call Microsoft Graph API from ASP.NET Core Web API that is called by SPA
- add-kdsrootkey error the request is not supported
- AADSTS50011: The redirect URI http does not match the redirect URIs
- Access Token Issuer from Azure AD is sts.windows.net Instead Of login.microsoftonline.com
- Getting user data through an Azure AD OAuth login - React Native Expo App
- HTTP request to update Service Principal Entra
- on-behalf-of flow, getting error AADSTS50013 while acquiring obo token
- Azure AD B2C Password Reset
- ASP.NET Core 5 WebAPI - Azure AD - Call Graph API Using Azure Ad Access Token
- Programmatically Assign Exchange Roles to a Group in Azure AD using Microsoft Graph API
- "AADSTS900144: The request body must contain the following parameter: 'grant_type'.?
- Signature validation of my Azure access-token, Private-key?
- Entra ID OIDC Failed Auth Attempt Logs