Invalid resource. The client has requested access to a resource which is not listed in the requested permissions in the client application

WMio Connectors 121

I created the OAuth app to perform sharepoint authentication, When a user, Non-Microsoft email id(example.com) is trying to authenticate on my app, then the user is getting "Invalid resource. The client has requested access to a resource which is not listed in the requested permissions in the client application". I am using oauth2 v1.0 . can anyone help me with that, how to modify this error. This question is a continuation to this https://github.com/MicrosoftDocs/azure-docs/issues/49563

1 answer

AmanpreetSingh-MSFT 56,306 Reputation points

2020-03-10T07:42:08.253+00:00

@WMio Connectors Try decoding your token at https://jwt.ms and check if the audience is matching with resource ID of SharePoint. If it is different, you need to update your request to include appropriate resource ID.

-----------------------------------------------------------------------------------------------------------

Please "Accept as answer" wherever the information provided helps you to help others in the community.
Please sign in to rate this answer.
WMio Connectors 121 Reputation points

2020-03-10T18:01:28.67+00:00

@amanpreetsingh-msft I am unable to generate an access token, I am getting above error when I am making a call to get authorization code.

AmanpreetSingh-MSFT 56,306 Reputation points

2020-03-12T05:12:00.247+00:00

@WMio Connectors could you please share the request URL which is starting with https://login.microsoftonline.com/yourtenant.onmicrosoft.com/oauth2...?

WMio Connectors 121 Reputation points

2020-03-12T09:32:24.79+00:00

Here is my URL to get authorization code : https://login.microsoftonline.com/common/oauth2/authorize?client_id=**&response_type=code&redirect_uri=888redirect_uri**&resource=https://sagportal.sharepoint.com/&prompt=select_account&scope=List.Manage+Sites.Read.All+User.Read&state=9d439228-ebf6-4655-b0ae-4c03d193a14f

AmanpreetSingh-MSFT 56,306 Reputation points

2020-03-13T06:23:05.777+00:00

@WMio Connectors The resource must be either the client ID of the app or if you want to specify the resource parameter in form of URL, you need to Expose an API on the application and add required scopes. The Resource URL in the request must match with the Application ID URI. Please refer to the highlighted sections in the screenshot below:

Once this is done, you need to add permissions for that API under API permissions section of the application and grant admin consent.

WMio Connectors 121 Reputation points

2020-03-16T06:48:01.347+00:00

@amanpreetsingh-msft what will be the resource id if we have multiple api permissions(like graph api, custom api, sharepoint api). In that case how to provide resource id and also my application ID URI is is same as api:<client_id>. so what should we add in resource id for this

AmanpreetSingh-MSFT 56,306 Reputation points

2020-03-16T10:00:03.293+00:00

@WMio Connectors For different resources it should be a different token call. E.g. in case of Graph API, resource should be https://graph.microsoft.com/ and for custom API it should be the Application ID or App ID URI of that application which is api:<client_id> in your case and can be edited as well.
Sign in to comment