MsalServiceException when retrieving tokens

Question

I am trying to retrieve an OAuth token using the azure-identity library (1.5.4) Below is the code:

final ClientSecretCredential credential = new ClientSecretCredentialBuilder().clientSecret(clientSecret).clientId(appClientId).tenantId(tenantId).build();
final TokenRequestContext tokenRequestContext = new TokenRequestContext();
tokenRequestContext.addScopes("uuid-app-1/.default", "uuid-app-2/.default");
System.out.println(credential.getToken(tokenRequestContext).block().getToken());

I get the following error:

Caused by: com.microsoft.aad.msal4j.MsalServiceException: AADSTS70011: The provided request must include a 'scope' input parameter. The provided value for the input parameter 'scope' is not valid. The scope openid profile offline_access uuid-app-1/.default uuid-app-2/.default is not valid.

Is it not possible to retrieve the token for multiple scopes? If so, why is specifying multiple scopes part of the library? Note that I am able to retrieve the token for individual scopes.

Answer 1

Hi @Groza, VI (Vlad) ,

Thanks for reaching out.

The Microsoft identity platform does not allow you to get a token for several resources at once. When using the MSAL, the scopes parameter in the acquire token method should only contain scopes for a single resource.

You can specify multiple resources of a single application like graph.micrsoft.com/User.Read and graph.micrsoft.com/Directory.Read

Although you can use .WithExtraScopeToConsent method in application which will allow you to silently get the token for another API after calling first webAPI.

Reference: https://learn.microsoft.com/en-us/azure/active-directory/develop/msal-net-user-gets-consent-for-multiple-resources

Hope this will help.

Thanks,

Shweta

---

Please remember to "Accept Answer" if answer helped you.