Microsoft Security | Microsoft Graph
An API that connects multiple Microsoft services, enabling data access and automation across platforms
error "invalid_client" - when scope has more than just "openid"
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(64, 38%, 16%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ED%3C/text%3E%3C/svg%3E)
david
1
Reputation point
Receiving an error after choosing an account (first step of consent screen). The second consent screen (where you choose to accept the apps permissions) is never shown.
The request params look like this...
https://login.microsoftonline.com/common/oauth2/v2.0/authorize?
scope=openid+Calendars.ReadWrite&
response_type=code&
redirect_uri=https://localhost:5001/connectedapps/oauth/callback&
response_mode=query&
prompt=select_account
It's successful in either two cases:
- User is signing in a Microsoft Live Account i.e outlook.live.com account (all scopes can be included) OR
- Or The only scope is openid (but the account can be either a Microsoft Live account and Microsoft Office account i.e outlook.office.com - works for both)
The problem occurs when using both the openid + Calendars.ReadWrite scopes, but trying to sign in as a Microsoft Office user. The error returned to the API is "invalid_client". BUT it works for a Microsoft Live Account.
Microsoft Security | Microsoft Graph
Sign in to answer