[BUG] GetToken fails when providing multiple scopes
See original GitHub issueThis code uses two scopes:
new DefaultAzureCredential().GetToken(new TokenRequestContext(new string[]{"https://management.azure.com/.default", "https://storage.azure.com/.default"}));
Throws this exception for EnvironmentCredential
Content:
{"error":"invalid_scope","error_description":"AADSTS70011: The provided request must include a 'scope' input parameter. The provided value for the input parameter 'scope' is not valid. The scope https://management.azure.com/.default https://storage.azure.com/.default is not valid.\r\nTrace ID: 81053cae-3879-4358-a9de-95bf1e230800\r\nCorrelation ID: c6855d6c-d11b-40da-ab7f-826f95a51dda\r\nTimestamp:
2019-12-11 02:19:59Z","error_codes":[70011],"timestamp":"2019-12-11 02:19:59Z","trace_id":"81053cae-3879-4358-a9de-95bf1e230800","correlation_id":"c6855d6c-d11b-40da-ab7f-826f95a51dda"}
Throws this exception for Managed Identity enabled VM
---> (Inner Exception #1) Azure.Identity.AuthenticationFailedException: The authentication request failed due to an unhandled exception. See inner exception for details.
---> System.ArgumentException: To convert to a resource string the specified array must be exactly length 1 (Parameter 'scopes')
at Azure.Identity.ScopeUtilities.ScopesToResource(String[] scopes)
at Azure.Identity.ManagedIdentityClient.CreateImdsAuthRequest(String[] scopes, String clientId)
This exception for SharedTokenCacheCredential:
---> (Inner Exception #1) Azure.Identity.AuthenticationFailedException: The authentication request failed due to an unhandled exception. See inner exception for details.
---> Microsoft.Identity.Client.MsalServiceException: AADSTS70011: The provided request must include a 'scope' input parameter. The provided value for the input parameter 'scope' is not valid. The scope https://management.azure.com/.default https://storage.azure.com/.default offline_access openid profile is not valid. .default scope can't be combined with resource-specific scopes.
They work individually:
Azure.Identity.ClientSecretCredential.GetToken succeeded. Scopes: [ https://storage.azure.com/.default ] ParentRequestId: ExpiresOn: 2019-12-11T03:21:30.6755818+00:00
Azure.Identity.EnvironmentCredential.GetToken succeeded. Scopes: [ https://storage.azure.com/.default ] ParentRequestId: ExpiresOn: 2019-12-11T03:21:30.6755818+00:00
Azure.Identity.DefaultAcureCredential.GetToken succeeded. Scopes: [ https://storage.azure.com/.default ] ParentRequestId: ExpiresOn: 2019-12-11T03:21:30.6755818+00:00
Azure.Identity.ClientSecretCredential.GetToken succeeded. Scopes: [ https://management.azure.com/.default ] ParentRequestId: ExpiresOn: 2019-12-11T03:21:44.3453129+00:00
Azure.Identity.EnvironmentCredential.GetToken succeeded. Scopes: [ https://management.azure.com/.default ] ParentRequestId: ExpiresOn: 2019-12-11T03:21:44.3453129+00:00
Azure.Identity.DefaultAcureCredential.GetToken succeeded. Scopes: [ https://management.azure.com/.default ] ParentRequestId: ExpiresOn: 2019-12-11T03:21:44.3453129+00:00
Issue Analytics
- State:
- Created 4 years ago
- Reactions:4
- Comments:10 (5 by maintainers)
Top Results From Across the Web
DefaultAzureCredential().GetTokenAsync fails when using ...
- ClientSecretCredential authentication failed: AADSTS70011: The provided request must include a 'scope' input parameter. The provided value for ...
Read more >Q&A
InteractiveBrowserCredential - Azure Identity => ERROR in getToken() call for scopes [https://management.core.windows.net//.default]: Failed ...
Read more >not able to fetch token using DefaultAzureCredential and ...
I am log in with my credential everwhere, VS 2022, powershell, azure cli, but still I am getting below error while trying to...
Read more >How to get an access token with Authorization Code Grant
Double check to make sure the integration key has not been cut off and that you have all required scopes.
Read more >Just what *is* the /.default scope in the Microsoft identity ...
When we need to connect to APIs or services secured with OAuth2 (called resources in openid and oauth parlance), such as the Microsoft...
Read more >
Top Related Medium Post
No results found
Top Related StackOverflow Question
No results found
Troubleshoot Live Code
Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free
Top Related Reddit Thread
No results found
Top Related Hackernoon Post
No results found
Top Related Tweet
No results found
Top Related Dev.to Post
No results found
Top Related Hashnode Post
No results found
Just been hit by this bug myself - Why even define the scopes parameter as a list of strings if it only supports one?
after i removed the .default scope and specified them explicitly I got the following error
Message: AADSTS28000: Provided value for the input parameter scope is not valid because it contains more than one resource. Scope https://vault.azure.net/user_impersonation api://00000000-0000-0000-0000-000000000000/Candidates openid profile is not valid.
which leads me to the conclusions that you cannot request multiple scopes for multiple resources
if i try the following
[“api://00000000-0000-0000-0000-000000000000/Profiles”, “api://00000000-0000-0000-0000-000000000000/Candidates”]
it works no problem.
so yea, one token per resource, multiple scopes on that resource seems to be the takeaway