Azure OAuth Login - Was working, now getting AADSTS700022 / AADSTS700023 Errors

Question

We've had office 365 login for our website working for a couple of months and all of a sudden, its broken.

As of this morning (UK time) we started getting "AADSTS700023: The provided value for the input parameter scope cannot be empty when requesting an access token using the provided authorization code. Please specify a valid scope." errors when we request a token via https://login.microsoftonline.com/common/oauth2/v2.0/token

Looking at the docs it appears that scope is required and it wasn't being passed, so regardless of the fact its worked for months, I added it. Now I get a different error..

AADSTS700022: The provided value for the input parameter scope is not valid because it contains more than one resource. The scope https://outlook.office.com/mail.send mail.readwrite calendars.readwrite tasks.readwrite contacts.readwrite openid profile offline_access is not valid.

When we call into the authorise endpoint first of all, this is the scope that gets passed and it comes back fine from that call, however when we try and get the token it fails.

Is there a general Login issue with 365 at the moment or is there something that I'm doing wrong and Microsoft have decided to 'fix' their end?

Answer 1

AADSTS700023: The provided value for the input parameter scope cannot be empty when requesting an access token using the provided authorization code. Please specify a valid scope.

When acquiring token to access resource in Azure AD V2.0 , you need to specific scope parameter which indicates which resource and permissions the app is requesting authorization for . Please refer to how OAuth 2.0 Authorization Code Flow works in Azure AD v2.0 .

AADSTS700022: The provided value for the input parameter scope is not valid because it contains more than one resource. The scope https://outlook.office.com/mail.send mail.readwrite calendars.readwrite tasks.readwrite contacts.readwrite openid profile offline_access is not valid.

An access token issued from Azure AD only available for one resource , you can't use same token to access multi resources . That means you should specific one resource's scopes in your token request . Looking into your scopes :

• https://outlook.office.com/mail.send is the scope of Office 365 Unified Mail API
• mail.readwrite calendars.readwrite tasks.readwrite contacts.readwrite are the scopes of Microsoft Graph API .

You can't acquire an access token to access two resources .You can request Mail.Send scope to send mail using Microsoft Graph API instead of using scope of O365 mail rest api .

Answer 2

The answer to this is as Nan Yu alluded to, for some reason the call had been working for the past couple of months, but you now can't get a token to cover multiple resources (i.e. Graph and Outlook APIs). The solution is to request authentication for a combined scope of both APIs and once you've got that, request separate tokens for the Graph and Outlook APIs.

We've done that and are storing the tokens separately and then when an API Call is made, detecting which API is being used and passing the appropriate token with the API Call.