Azure-docs: I get an error when trying to authorize from the api managment developer portal.

Created on 17 Aug 2019 · 11Comments · Source: MicrosoftDocs/azure-docs

When executing this step - "Select Authorization code from the authorization drop-down list, and you are prompted to sign in to the Azure AD tenant. If you are already signed in with the account, you might not be prompted."

I get an error
An error has occurred while authorizing access via Testing oauth 2: invalid_client AADSTS650053: The application 'consumer' asked for scope 'user_impersonation' that doesn't exist on the resource '00000003-0000-0000-c000-000000000000'. Contact the app vendor. Trace ID: a5842728-283e-4d9f-a1e9-c414f76c0000 Correlation ID: ff97c808-1ace-4b68-a05d-d56df10ca933 Timestamp: 2019-08-16 23:50:34Z`

I don't know why it is trying to get the scopes for resource on "00000003-0000-0000-c000-000000000000". This resource does not exist in either of my manifests. This was present for micrsofot graph but I have since deleted that entry.

I can confirm that the consumer app has permission "user_impersonation" and that the "server app" has the scope that is being asked for.

Document Details

⚠ Do not edit this section. It is required for docs.microsoft.com ➟ GitHub issue linking.

ID: 823eb96f-e5f1-0832-b175-0b31009be92f
Version Independent ID: 330085ae-dcf6-e930-86a8-0e4a60ab1314
Content: Protect an API by using OAuth 2.0 with Azure Active Directory and API Management
Content Source: articles/api-management/api-management-howto-protect-backend-with-aad.md
Service: api-management
GitHub Login: @miaojiang
Microsoft Alias: apimpm

Pri1 api-managemensvc cxp doc-bug triaged

Source

flyingUnderTheRadar

Most helpful comment

@flyingUnderTheRadar I believe the problem here is that the full scope has to be provided which includes the client id as well. You can get it from the API Permission blade like below

PramodValavala-MSFT on 21 Aug 2019

👍3

All 11 comments

@flyingUnderTheRadar
Thanks for the question! We are investigating and will update you shortly.

jakaruna-MSFT on 17 Aug 2019

@flyingUnderTheRadar I believe the problem here is that the full scope has to be provided which includes the client id as well. You can get it from the API Permission blade like below

PramodValavala-MSFT on 21 Aug 2019

👍3

@flyingUnderTheRadar Just following up here... I hope my previous comment clears things up

PramodValavala-MSFT on 22 Aug 2019

@flyingUnderTheRadar Since we have not heard back from you we will now proceed to close this thread. If there are further questions regarding this matter, please tag me in your reply. We will gladly continue the discussion and we will reopen the issue.

PramodValavala-MSFT on 23 Aug 2019

Yep I figured that out soon after I filed the issue. For some reason I never got notifications for the comments from you.
Thanks a lot for following up !

flyingUnderTheRadar on 23 Aug 2019

Can you please let me know how you fixed this. Same issue here. Thanks.

rslavey on 6 Sep 2019

@flyingUnderTheRadar I have the same problem. Where in the screenshot is the full scope (as you mention)? What would the client id be in your screenshot? And where should this full scope be provided in the Developer Portal? Or is it to be configured somewhere in application in the App registrations page?

toralux on 1 Nov 2019

See here.... https://www.andrew-best.com/posts/please-sir-can-i-have-some-auth/. I only got this working when I used scope "https://management.azure.com/user_impersonation" when getting a token. I had been using scope "user_impersonation" and was getting this error message. This is terribly documented.

ElectricLlama on 29 Feb 2020

@flyingUnderTheRadar I believe the problem here is that the full scope has to be provided which includes the client id as well. You can get it from the API Permission blade like below

Legend. I was having ""error":"invalid_grant","error_description":"AADSTS65001: The user or administrator has not consented to use the application with ID...." and this fixed it.

Many thanks.

xazos79 on 14 Jul 2020

Can you confirm incremental/dynamic admin consent only works for delegated permissions? I am trying to get an application permission granted (yes by an admin) and it does not work:

There error URL fragment is:

?error=invalid_client&error_description=AADSTS650053%3a+The+application+%27TestIncrementalConsent%27+asked+for+scope+%27CallRecords.Read.All%27+that+doesn%27t+exist+on+the+resource+%2700000003-0000-0000-c000-000000000000%27.+Contact+the+app+vendor.

delepster on 1 Sep 2020

please-sir-can-i-have-some-auth saved the day. Too bad you can only request the https://management.azure.com/user_impersonation scope since no other scopes work with it at the same time.