Search code examples
azureazure-devopsazure-active-directory

Azure - Generating oAuth token wiht Azure devops scopes

I'm attempting to update an integraiton which is provided to users of a web-app and having issues with microsofts latest oauth process.

I've registered an app within the Azure portal and provided the following scopes

enter image description here

I'm then trying to initiate the oAuth process and direct the user over to Microsoft to allow them to grant access to their account and I'm attempting to do this with the following URL:

"https://login.microsoftonline.com/common/oauth2/v2.0/authorize?
          client_id=#{app_client_id}
          &response_type=code
          &redirect_uri=#{redirect_url}
          &response_mode=query
          &scope=vso.project vso.work_write User.Read
          &state=#{state}
          &prompt=select_account"

However the user is always returned with a 'invalid_scope' message 'The provided value for the input parameter 'scope' is not valid. The scope 'vso.project vso.work_write User.Read' does not exist'.

If trying

scope=CLIENT_ID/.default

The following error is returned: "the provided value for the input parameter 'scope' is not valid. The scope 'client-id/.default' is not valid - it refers to a resource which is not listed in the client's Required Resource Access and for which the user does not have any existing consent."

(This is being setup as an integration within a web app for anyone to use.)

Can anyone point me in the right direction as to what scope values should be provided or what configuration changes may need making in the Azure portal?

Many thanks

Solution

  • I agree with @wade zhou - MSFT, the scope to access Azure DevOps Services REST API must be 499b84ac-1321-427f-aa17-267ca6975798/.default that is the Resource App ID of the Azure DevOps. Refer this MsDoc

    Created a Microsoft Entra application and granted API permissions:

    enter image description here

    To resolve the error, pass scope as 499b84ac-1321-427f-aa17-267ca6975798/.default like below:

    https://login.microsoftonline.com/common/oauth2/v2.0/authorize?
&client_id=ClientID
&response_type=code
&redirect_uri=https://jwt.ms
&response_mode=query
&scope=499b84ac-1321-427f-aa17-267ca6975798/.default
&state=12345

    The user signed in successfully:

    enter image description here

    Pass the above code to generate the access token to call the DevOps Api:

    https://login.microsoftonline.com/common/oauth2/v2.0/token

client_id:ClientID
scope:499b84ac-1321-427f-aa17-267ca6975798/.default
grant_type:authorization_code
code:code
redirect_uri:https://jwt.ms
client_secret:ClientSecret

    enter image description here

    When decoded the scopes are present in the access token:

    enter image description here

    If still the issue persists, grant admin consent to the API permissions.