MSAL Python Service account Token genration error

Question

MSAL Python Service account Token genration error

Azad Patel 1

Hi Team,

Currently we are using Application Registration details to generate the application token and use the same application token to access Elastic API.
Ref : https://learn.microsoft.com/en-us/azure/active-directory/develop/quickstart-register-app

Now we are working on Generating token using Service account. Service account will be added to the AzureAD group and AzureAD group will be added to the Application Registration.
We have configured the Application Registration with service account and AzureAD groups. We are getting error while generating the token :

Description: AADSTS90009: Application 'b81f5f82-aa4e-7e7cf93acddd'(b81f5f82-aa4e-7e7cf93acddd) is requesting a token for itself. This scenario is supported only if resource is specified using the GUID based App Identifier.
Trace ID: 4f9785cd-1f4d-4a16-8131-a5b2f1f6a600
Correlation ID: d6ea6328-bc71-4fa1-8c8a-473ae55ce0c1

To generate the token using Service account we are using MSAL library with python, we are following below link for reference
Ref : https://learn.microsoft.com/en-us/python/api/overview/azure/msal-python-overview?view=azure-python
Ref : https://github.com/AzureAD/microsoft-authentication-library-for-python/wiki/Username-Password-Authentication

Could you please help me resolving this error ?

1 answer

Your answer

Answer 1

Shweta Mathur 30,431 Microsoft Employee Moderator

Hi @Azad Patel ,

Thanks for reaching out.

From your query I understand you are getting error when requesting the token for Web API.

This error is due to scope has not been set correctly in the request while acquiring the token.

Can you share the request and endpoint you are using to get the access token?

If you are using v2 endpoint then it is mandatory to send the scope parameter with app ID URI (api://<application-client-id>) specify the permission, you are requesting for Web API.

Reference : Expose a web API

Thanks,
Shweta

------------------------------------------------

Please remember to "Accept Answer" if answer helped you.

Azad Patel 1 Reputation point

2022-03-09T12:22:26.32+00:00

Hi Shweta,

Thanks for your response!

Please find below Application registration object , i have retrieved using the Graph API :

181445-application-reg-object.txt

Please find below Python code snippet , I have attached the code

181492-get-tokens-for-service-accountpy.txt

Please find below screenshot of the error received after calling the python library

Please find below image show the way we are able to generate Application token by using scope URL

Note : AzureAD is being managed by the administrator, I don't have control over it. If you could let me know with the exact question, I will create the ticket for the Administrator to provide the details or implement the same.
Shweta Mathur 30,431 Reputation points Microsoft Employee Moderator

2022-03-10T10:42:43.883+00:00

Thanks for the update. In the data you shared I am able to see scope 'https://use2searchpoccanvas.sbp.eyclienthub.com/.default' has already been set up.

However as the error defined 'This scenario is supported only if resource is specified using the GUID based App Identifier', you need to provide the guid id of app ID URI rather than URL as xxxxxxxx-xxxx-xxxxxxxxxxxx./default in the scope.
Azad Patel 1 Reputation point

2022-03-11T09:22:59.823+00:00

Hi Shweta,

Thanks for you response!

I have reached one step closure. Based on your suggestion i have passed APPID in scope instead of URL, i am able to get the access token now.

In the next step i am getting error while try to access the application using this access token. Please let me know if you have any pointers on this
182222-error-resp.txt!
Shweta Mathur 30,431 Reputation points Microsoft Employee Moderator

2022-03-11T13:23:06.567+00:00

The error you are getting is because of invalid access token to call the Web API. You can decode the access token using jwt.ms to check the audience.

Access tokens are created based on the audience of the token, meaning the application that owns the scopes in the token.

You need to provide appropriate scope and audience to call the API. In the scope you need to provide client-id or application ID URI of your web API.

Refer : https://learn.microsoft.com/en-us/azure/active-directory/develop/scenario-protected-web-api-app-configuration#case-where-you-used-a-custom-app-id-uri-for-your-web-api
Azad Patel 1 Reputation point

2022-03-11T15:30:14.113+00:00

I validated the token in JWT.io and it looks valid to me, i also cross checked the aud with the appId/clientid and it matches.

Please find the token decoded version :
182334-jwt-io.txt
Shweta Mathur 30,431 Reputation points Microsoft Employee Moderator

2022-03-14T16:32:36.123+00:00

Hi @Azad Patel ,

Are you able to resolve the issue?

As you are using custom domain, Did you try to add audience parameter in the application configuration file as:
"Audience": "Application ID URI"
Azad Patel 1 Reputation point

2022-03-15T15:42:32.687+00:00

Hi Shweta,

I am still facing the same issue. Is it possible if I can setup a call with you to explain and share more details on this issue.

Thanks,
Azad
Azad Patel 1 Reputation point

2022-03-15T17:07:19.397+00:00

Hi Shweta,

Let me know about you available time slot, i will share the call details.

Thanks,
Azad
Shweta Mathur 30,431 Reputation points Microsoft Employee Moderator

2022-03-16T04:09:39.467+00:00

Hi Azad,
I have again gone through all the files you shared and found the scope you are passing is not correct.
In the scope, the value you are passing is the client-id of application(server1). Here the value in scope should be the client-id or application ID URI of your web API (server2) .
For that, you need to register the Web API in application portal as you registered another web application and expose the API by adding scopes.
As you are calling from service account without any user interaction, then need to create app role in the web API application to allow application(server1)

And need to expose an API by setting Application ID URI

And need to add those scope or permissions in another application(server1)

For application type permissions where there is no user interaction, need to grant admin consent to access the application.
Now to get the access token with required permission, the scope needs to pass with application ID URI value mentioned in image 2.
Now application(server1) has permission to access web API (server2) with valid audience in access token.

Hope this will help to give clear understanding. If you still have doubts, please let me know. We will setup call to discuss further.

Thanks,
Shweta
Azad Patel 1 Reputation point

2022-03-16T15:38:17.21+00:00

Hi Shweta,

Thanks for the detailed explanation.

We would like to understand you views towards our approach for that reason i am sharing the meeting details below :

Meeting Date : 18th Mar, 5PM IST
Teams Link : Meeting Link

Please let me know if you have any other date and time in mind, i will change the meeting accordingly.
Shweta Mathur 30,431 Reputation points Microsoft Employee Moderator

2022-03-17T06:58:28.5+00:00

Hi Azad,

Sure, we can setup a call to discuss further on this. I won't be available on 18th March. Could you please send me the email on azcommunity [at] microsoft [dot] com referencing this issue with a subject line "ATTN:shweta" and we will discuss the timings there.

Thanks,
Shweta
Azad Patel 1 Reputation point

2022-03-18T10:26:46.48+00:00

Hi Shweta,

I hope you would have received the email. I have sent the email based on the details you provided.

Thanks,
Azad

Share via

MSAL Python Service account Token genration error

1 answer

Your answer