Microsoft-authentication-library-for-js: [B2C] Improve Error Handling when: This application does not have sufficient permissions against this web resource to perform the operation

Specifically, the error should mention verifying that your application has access to the scope value used in the request.

I'm happy to try to create a PR to address this 😄 . I thinking that the response provided will make it difficult to do it the right way seeing how the result is in a JS var

var GLOBALEX = {"CorrelationId":"99ff48e6-646f-4cc0-bd37-a390093f7a03","Timestamp":"2017-07-10 17:31:40Z","Detail":"AADB2C90205: This application does not have sufficient permissions against this web resource to perform the operation."};

Thoughts?

Full Response

Thank you for the offer, but it might be better to hold off for a bit. I was searching the MSAL source code for error handling that's specific to AADB2C error codes and I couldn't find any existing precedent. It might make more sense to return a better error message from the Azure AD B2C service. We are checking to see if the upstream call to Graph gives us any granular information (did the call fail because the scope does not exist, or because this application does not have access to the scope)? If the upstream API gives us this information, then potentially we could pass it along.

We are also exploring how to make the UI in the Admin portal more intuitive. Perhaps we should rename "scope name" and "scope value", perhaps we should reorder them and put scope value first. Any feedback? :)

Copy that; that's kinda what I figured after seeing the http response.

I'm personally ok with the order. What about a tool-tip on each?

Name: for reference only
Value: the value to be used in authorization calls

@SaeedAkhter-MSFT : if you take this on the service side, closing this issue for now.

Hey @SaeedAkhter-MSFT - any updates? Were you able to change the service side?

Hi Guys,

I've just commented on https://github.com/AzureAD/microsoft-authentication-library-for-js/issues/214 "Could not silently retrieve token from storage. AADB2C90077: User does not have an existing session and request prompt parameter has a value of 'None'.
" with a query, where I am getting same error as per this issue #94. An angular 5 SPA connecting to B2C, MSAL, to an azure function and I'm totally confused.

The B2C application for the azure function is defined as an app in B2C:
API Access

1. access the users profile, so openid, offlineaccess

Scopes(preview):

1. Name=scope, Value= https://{b2ctenantname}.onmicrosoft.com/9eae956a-5c0b-4f61-ba47-7d76de51d91a/user_impersonation

The SPA app has an application configured as follows:
Properties: APP ID URI: https://{b2ctenantname}.onmicrosoft.com/spaapp-msal
API Access:

1. access users profile, so openid and offline_access
2. functionapp : access on behalf so user_impersonation
   Scopes: - this is where I'm confused
3. Scope (1) - app.read has a value of https://{b2ctenantname}.onmicrosoft.com/4eb556c1-ded4-42bb-9cd2-f00c866f25f9/app.read
4. Scope (2) - openid with a similar URL 4eb556c1-ded4-42bb-9cd2-f00c866f25f9/openid

The ng client then has the properties
export const environment = {
production: false,
tenant: "{tenant}.onmicrosoft.com",
clientID: 'myguid',
signUpSignInPolicy: "B2C_1_SignUpSignIn-01",
b2cScopes: ["https://{tenant}.onmicrosoft.com/4eb556c1-ded4-42bb-9cd2-f00c866f25f9/app.read", "openid"],
webApi: 'https://{tenant}.azurewebsites.net/api/HttpTriggerCSharp1?code=code'
};

I've tried using the scope with the guid highlighted above (which is what the scope blade is showing for the SPA) and tried scope "https://{tenant}.onmicrosoft.com/spaapp-msal/app.read similar to all documentation online (which also still references screenshots with replyurls of http://localhost which you cannot do anymore as every replyurl must be https: on that blade now)

I've looked at https://github.com/Gimly/NetCoreAngularAzureB2CMsal and the MSAL sample apps and I cannot figure out why I get "AADB2C90205: This application does not have sufficient permissions against this web resource to perform the operation"

Postman wired up to the B2c prompts and fires the function fine.

Appreciate any help

thanks

Hi @buildtestship - I would personally open a Stack Overflow post w/ the azure-ad-b2c tag w/ your above issue.