Blazor webassembly msal does not work with scopes on multiple resources

[JohanArleth]

Describe the bug

Using the blazor webassambly msal libray it's possible to get tokens for scopes on one resource, but as soon as you attempt to get additional scopes on another resouce, you into issues with multiple resources: AADSTS28000: Provided value for the input parameter scope is not valid because it contains more than one resource.

This error itself is of course correct, but the library should not be trying to get a token for both the default scope and the new scopes.

MSAL.NET covers this scenario: https://docs.microsoft.com/en-us/azure/active-directory/develop/msal-net-user-gets-consent-for-multiple-resources

Related stackoverflows:
https://stackoverflow.com/questions/60754751/blazor-webassembly-standalone-access-multiple-aad-protected-apis
https://stackoverflow.com/questions/67788030/how-to-handle-tokens-for-multiple-resources-in-blazor-webassembly-msal

To Reproduce

Example repo:
https://github.com/JohanArleth/MsalMultipleDomains
To get it running, fill out the appsettings with clientid, tenantid and a scope that is not from graph.

Run the example and you should automatically be asked to login. So far so good.

There is then a button "Get graph scopes" which will do the following:

async void GetGraphScopes()
{
    Console.WriteLine("GetGraphScopes");
    string[] scopes = new[] { "https://graph.microsoft.com/Mail.ReadWrite", "https://graph.microsoft.com/Mail.Send" };

    var result = await AccessTokenProviderAccessor.TokenProvider.RequestAccessToken(
    new AccessTokenRequestOptions()
    {
        Scopes = scopes
    });

    if (!result.TryGetToken(out var token))
    {
       // Can this be done in a popup?
        Navigation.NavigateTo(result.RedirectUrl);
    }
}

Once you have consented to these new scopes, and hit the callback to the application, you will get the multiple resources error and land on the page for problem with login.

This is only an issue when you have to provide consent, so subsequent attempts will work, until you revoke your consent and clear site data.

This can be avoided by not setting any default scopes, but this then means that you will have to trigger extra consent dialogs.

Exceptions (if any)

{
	"error":"invalid_request",
	"error_description":"AADSTS28000: Provided value for the input parameter scope is not valid because it contains more than one resource. Scope api://xxxxxxx/API.Access https://graph.microsoft.com/Mail.ReadWrite https://graph.microsoft.com/Mail.Send openid profile is not valid.\r\nTrace ID: d23e9119-26d2-41e9-b5cc-6a35ff867901\r\nCorrelation ID: 0a213a7d-e811-46da-a01c-90e2279f3501\r\nTimestamp: 2021-06-03 07:57:04Z",
	"error_codes":[28000],
	"timestamp":"2021-06-03 07:57:04Z",
	"trace_id":"d23e9119-26d2-41e9-b5cc-6a35ff867901",
	"correlation_id":"0a213a7d-e811-46da-a01c-90e2279f3501"
}

Further technical details

• net5.0
• Include the output of dotnet --info
  .NET SDK (reflecting any global.json):
  Version: 5.0.300
  Commit: 2e0c8c940e

Runtime Environment:
OS Name: Windows
OS Version: 10.0.19042
OS Platform: Windows
RID: win10-x64
Base Path: C:\Program Files\dotnet\sdk\5.0.300\

Host (useful for support):
Version: 5.0.6
Commit: 478b2f8c0e

.NET SDKs installed:
5.0.300 [C:\Program Files\dotnet\sdk]

.NET runtimes installed:
Microsoft.AspNetCore.All 2.1.28 [C:\Program Files\dotnet\shared\Microsoft.AspNetCore.All]
Microsoft.AspNetCore.App 2.1.28 [C:\Program Files\dotnet\shared\Microsoft.AspNetCore.App]
Microsoft.AspNetCore.App 3.1.15 [C:\Program Files\dotnet\shared\Microsoft.AspNetCore.App]
Microsoft.AspNetCore.App 5.0.6 [C:\Program Files\dotnet\shared\Microsoft.AspNetCore.App]
Microsoft.NETCore.App 2.1.28 [C:\Program Files\dotnet\shared\Microsoft.NETCore.App]
Microsoft.NETCore.App 3.1.13 [C:\Program Files\dotnet\shared\Microsoft.NETCore.App]
Microsoft.NETCore.App 3.1.15 [C:\Program Files\dotnet\shared\Microsoft.NETCore.App]
Microsoft.NETCore.App 5.0.6 [C:\Program Files\dotnet\shared\Microsoft.NETCore.App]
Microsoft.WindowsDesktop.App 3.1.13 [C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App]
Microsoft.WindowsDesktop.App 3.1.15 [C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App]
Microsoft.WindowsDesktop.App 5.0.6 [C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App]

• Visual studio 2019 16.10.0

[javiercn]

@JohanArleth thanks for contacting us.

Check out the docs for how to do this here

[JohanArleth]

@JohanArleth thanks for contacting us.

Check out the docs for how to do this here

Those are the docs I've been following.
Can you point out what I'm doing differently than those docs mention?

[javiercn]

@JohanArleth no problem, thanks for the details.

Is this AAD or AAD B2C? Seems like AAD?

[ghost]

Thanks for contacting us.

We're moving this issue to the Next sprint planning milestone for future evaluation / consideration. We would like to keep this around to collect more feedback, which can help us with prioritizing this work. We will re-evaluate this issue, during our next planning meeting(s).
If we later determine, that the issue has no community involvement, or it's very rare and low-impact issue, we will close it - so that the team can focus on more important and high impact issues.
To learn more about what to expect next and how this issue will be handled you can read more about our triage process here.

[JohanArleth]

@JohanArleth no problem, thanks for the details.

Is this AAD or AAD B2C? Seems like AAD?

It is AAD

[ghost]

We've moved this issue to the Backlog milestone. This means that it is not going to be worked on for the coming release. We will reassess the backlog following the current release and consider this item at that time. To learn more about our issue management process and to have better expectation regarding different types of issues you can read our Triage Process.

[tomreich]

Just like to bump this -- really need this fixed for Blazor Wasm to be viable in our corp environment.

[JohanArleth]

@tomreich If you grant admin consent on the scopes you need, you can remove default scopes from the code, and there will be no consent popups when requesting the scopes after login.

If you are inside your corp environment there is probably not any need for the users to manually consent each scope.

That said it would be really nice if this could get some attention

[tomreich]

@JohanArleth Thanks, unfortunately I do not have permission to grant admin consent.

[igotinfected]

I've just run into this issue myself. API scope and graph scope in one Blazor WASM app. With some tinkering with named http clients and providers, I've got the app running once it's deployed, but when debugging on launch of the application, and once trying to retrieve data via the graph client, an AuthenticationService.js error is generated:

ClientAuthError: token_refresh_required: Cannot return token from cache because it must be refreshed. This may be due to one of the following reasons: forceRefresh parameter is set to true, claims have been requested, there is no cached access token or it is expired.
Stack trace:
 >  at t [as constructor] (https://localhost:5001/redacted/redacted/_content/Microsoft.Authentication.WebAssembly.Msal/AuthenticationService.js:2:16497)
 >    at new t (https://localhost:5001/redacted/redacted/_content/Microsoft.Authentication.WebAssembly.Msal/AuthenticationService.js:2:16860)
 >    at t.createRefreshRequiredError (https://localhost:5001/redacted/redacted/_content/Microsoft.Authentication.WebAssembly.Msal/AuthenticationService.js:2:23241)
 >    at t.<anonymous> (https://localhost:5001/redacted/redacted/_content/Microsoft.Authentication.WebAssembly.Msal/AuthenticationService.js:2:119067)
 >    at https://localhost:5001/redacted/redacted/_content/Microsoft.Authentication.WebAssembly.Msal/AuthenticationService.js:2:4710
 >    at Object.next (https://localhost:5001/redacted/redacted/_content/Microsoft.Authentication.WebAssembly.Msal/AuthenticationService.js:2:4815)
 >    at https://localhost:5001/redacted/redacted/_content/Microsoft.Authentication.WebAssembly.Msal/AuthenticationService.js:2:3752
 >    at new Promise (<anonymous>)
 >    at p (https://localhost:5001/redacted/redacted/_content/Microsoft.Authentication.WebAssembly.Msal/AuthenticationService.js:2:3497)
 >    at t.acquireCachedToken (https://localhost:5001/redacted/redacted/_content/Microsoft.Authentication.WebAssembly.Msal/AuthenticationService.js:2:118405)
Could not read source map for https://aadcdn.msauth.net/shared/1.0/content/js/asyncchunk/convergedlogin_pcustomizationloader_20ead0268c36816fd612.js: Unexpected 503 response from https://aadcdn.msauth.net/shared/1.0/content/js/20ead0268c36816fd612.map: connect ECONNREFUSED 13.107.246.45:443
Could not read source map for https://aadcdn.msauth.net/shared/1.0/content/js/asyncchunk/convergedlogin_ptiles_8cd7f73355d7dad3e32b.js: Unexpected 503 response from https://aadcdn.msauth.net/shared/1.0/content/js/8cd7f73355d7dad3e32b.map: connect ECONNREFUSED 13.107.246.45:443

[javiercn]

This has been addressed as part of #43954. Likely a dupe of #29384