The application asked for scope that doesn't exist on the resource

Question

Hello,

my application has an issue requesting the scopes files.readwrite, User.Read and offline_access but only for Work and School accounts. It works flawlessly with personal accounts.

The authorization URL I am using: https://login.microsoftonline.com/common/oauth2/v2.0/authorize?client_id=%@&scope=%@&response_type=code&redirect_uri=%@
The scope I am requesting: files.readwrite,User.Read,offline_access

The configured permissions look fine to me:

The error response I receive when logging in with a Work or School account is: AADSTS650053:+The+application+'APPLICATION NAME'+asked+for+scope+'files.readwrite,User.Read,offline_access'+that+doesn't+exist+on+the+resource+'00000003-0000-0000-c000-000000000000'.+Contact+the+app+vendor

Again, it works perfectly fine with personal accounts.

Any hints for me, please?

Answer 1

Hi @Timo Josten • Thank you for reaching out.

Looking at the error, you have separated the scopes using a comma rather than a space. When using multiple scopes in the authentication request, the scopes must be separated with a space. You are getting the error because all the 3 scopes are concatenated as a single string " files.readwrite,User.Read,offline_access " and doesn't match with any of the scopes added to the application. If you separate the scopes using space, files.readwrite User.Read offline_access the scopes won't be concatenated and will be treated as individual scopes.

-----------------------------------------------------------------------------------------------------------

Please "Accept the answer" if the information helped you. This will help us and others in the community as well.