How to specify Resource URI when acquiring access token for Azure AD V2 endpoint?

Sat Thiru picture Sat Thiru · Nov 30, 2018 · Viewed 8.7k times · Source

I have used ADAL.js in a previous project which supported only work accounts and am able to successfully acquire idtokens and then accesstokens to an API (ResourceURI: "https://myresource.com"). Works fine.

Now, I am trying to use MSAL.js for another project because there I need to support both work accounts (aad auth) and personal "Microsoft Accounts" (MSA). I am running into problems now trying to do the same thing as in my ADAL project.

The concept of "Resource" has seemingly vanished from AAD V2. So how does one specify the Resource url when acquiring an access token to the target API? So that the resulting accesstoken contains the ResourceURI in the AUD claim (which will be enforced by the API I am calling).

If I force add the Resource querystring parameter, thusly:

msalapp.acquireTokenSilent([], null, null, "resource=https%3A%2F%2Fmyresource.com")

I get the following error:

AADSTS901002: The 'resource' request parameter is not supported.

Documentation says to use SCOPE instead. But using:

msalapp.acquireTokenSilent(['https://myresource.com'])

results in:

AADSTS70011: The provided value for the input parameter 'scope' is not valid. The scope https://myresource.com openid profile is not valid. The scope format is invalid. Scope must be in a valid URI form <https://example/scope> or a valid Guid <guid/scope>..

So: how do I specify the Resource URI when acquiring the access tokens when working with the v2 endpoint via MSAL.js? Sorry the (usually pretty good) MSDN articles are not useful at all in this case...

Answer

Jean-Marc Prieur picture Jean-Marc Prieur · Nov 30, 2018

In Azure AD v2.0 you need to use scopes, not resources.

If you have a resource, and want to get a token for all the permissions, you can use : https://myresource.com/.default.

You can also be more fine grain: more information is available from https://github.com/AzureAD/microsoft-authentication-library-for-dotnet/wiki/Adal-to-Msal#scopes-for-a-v10-application (this is in C#, but the translation is straightforward)