MSAL Error message AADSTS65005 when trying to get token for accessing custom api

Question

I downloaded the example below to get an access token from MS Graph and it worked fine. Now I changed the code to get a token from a custom web API. On apps.dev.microsoft.com I registered a client application and an the API.

Client and server registration in AD

private static async Task<AuthenticationResult> GetToken()
    {
        const string clientId = "185adc28-7e72-4f07-a052-651755513825";

        var clientApp = new PublicClientApplication(clientId);
        
        AuthenticationResult result = null;
        
        string[] scopes = new string[] { "api://f69953b0-2d7f-4523-a8df-01f216b55200/Test" };
        
        try
        {
            result = await clientApp.AcquireTokenAsync(scopes, "", UIBehavior.SelectAccount, string.Empty);
        }
        catch (Exception x)
        {
            if (x.Message == "User canceled authentication")
            {

            }
            return null;
        }
        return result;
    }

When I run the code I login to AD via the dialog en get the following exception in the debugger:

Error: Invalid client Message = "AADSTS65005: The application 'CoreWebAPIAzureADClient' asked for scope 'offline_access' that doesn't exist on the resource. Contact the app vendor.\r\nTrace ID: 56a4b5ad-8ca1-4c41-b961-c74d84911300\r\nCorrelation ID: a4350378-b802-4364-8464-c6fdf105cbf1\r...

Error message

Help appreciated trying for days...

Answer 1

For anyone still striking this problem, please read this:

https://www.andrew-best.com/posts/please-sir-can-i-have-some-auth/

You'll feel better after this guy reflects all of your frustrations, except that he works it out...

If using adal.js, for your scope you need to use

const tokenRequest = {
    scopes: ["https://management.azure.com/user_impersonation"]
};

I spent a week using

const tokenRequest = {
    scopes: ["user_impersonation"]
};

.. since that is the format that the graph API scopes took