Blazor webassembly msal does not work with scopes on multiple resources

[JohanArleth]

Describe the bug

Using the blazor webassambly msal libray it's possible to get tokens for scopes on one resource, but as soon as you attempt to get additional scopes on another resouce, you into issues with multiple resources: AADSTS28000: Provided value for the input parameter scope is not valid because it contains more than one resource.

This error itself is of course correct, but the library should not be trying to get a token for both the default scope and the new scopes.

MSAL.NET covers this scenario: https://docs.microsoft.com/en-us/azure/active-directory/develop/msal-net-user-gets-consent-for-multiple-resources

Related stackoverflows:
https://stackoverflow.com/questions/60754751/blazor-webassembly-standalone-access-multiple-aad-protected-apis
https://stackoverflow.com/questions/67788030/how-to-handle-tokens-for-multiple-resources-in-blazor-webassembly-msal

To Reproduce

Example repo:
https://github.com/JohanArleth/MsalMultipleDomains
To get it running, fill out the appsettings with clientid, tenantid and a scope that is not from graph.

Run the example and you should automatically be asked to login. So far so good.

There is then a button "Get graph scopes" which will do the following:

async void GetGraphScopes()
{
    Console.WriteLine("GetGraphScopes");
    string[] scopes = new[] { "https://graph.microsoft.com/Mail.ReadWrite", "https://graph.microsoft.com/Mail.Send" };

    var result = await AccessTokenProviderAccessor.TokenProvider.RequestAccessToken(
    new AccessTokenRequestOptions()
    {
        Scopes = scopes
    });

    if (!result.TryGetToken(out var token))
    {
       // Can this be done in a popup?
        Navigation.NavigateTo(result.RedirectUrl);
    }
}

Once you have consented to these new scopes, and hit the callback to the application, you will get the multiple resources error and land on the page for problem with login.

This is only an issue when you have to provide consent, so subsequent attempts will work, until you revoke your consent and clear site data.

This can be avoided by not setting any default scopes, but this then means that you will have to trigger extra consent dialogs.

Exceptions (if any)

{
	"error":"invalid_request",
	"error_description":"AADSTS28000: Provided value for the input parameter scope is not valid because it contains more than one resource. Scope api://xxxxxxx/API.Access https://graph.microsoft.com/Mail.ReadWrite https://graph.microsoft.com/Mail.Send openid profile is not valid.\r\nTrace ID: d23e9119-26d2-41e9-b5cc-6a35ff867901\r\nCorrelation ID: 0a213a7d-e811-46da-a01c-90e2279f3501\r\nTimestamp: 2021-06-03 07:57:04Z",
	"error_codes":[28000],
	"timestamp":"2021-06-03 07:57:04Z",
	"trace_id":"d23e9119-26d2-41e9-b5cc-6a35ff867901",
	"correlation_id":"0a213a7d-e811-46da-a01c-90e2279f3501"
}

Further technical details

• net5.0
• Include the output of dotnet --info
  .NET SDK (reflecting any global.json):
  Version: 5.0.300
  Commit: 2e0c8c940e

Runtime Environment:
OS Name: Windows
OS Version: 10.0.19042
OS Platform: Windows
RID: win10-x64
Base Path: C:\Program Files\dotnet\sdk\5.0.300\

Host (useful for support):
Version: 5.0.6
Commit: 478b2f8c0e

.NET SDKs installed:
5.0.300 [C:\Program Files\dotnet\sdk]

.NET runtimes installed:
Microsoft.AspNetCore.All 2.1.28 [C:\Program Files\dotnet\shared\Microsoft.AspNetCore.All]
Microsoft.AspNetCore.App 2.1.28 [C:\Program Files\dotnet\shared\Microsoft.AspNetCore.App]
Microsoft.AspNetCore.App 3.1.15 [C:\Program Files\dotnet\shared\Microsoft.AspNetCore.App]
Microsoft.AspNetCore.App 5.0.6 [C:\Program Files\dotnet\shared\Microsoft.AspNetCore.App]
Microsoft.NETCore.App 2.1.28 [C:\Program Files\dotnet\shared\Microsoft.NETCore.App]
Microsoft.NETCore.App 3.1.13 [C:\Program Files\dotnet\shared\Microsoft.NETCore.App]
Microsoft.NETCore.App 3.1.15 [C:\Program Files\dotnet\shared\Microsoft.NETCore.App]
Microsoft.NETCore.App 5.0.6 [C:\Program Files\dotnet\shared\Microsoft.NETCore.App]
Microsoft.WindowsDesktop.App 3.1.13 [C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App]
Microsoft.WindowsDesktop.App 3.1.15 [C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App]
Microsoft.WindowsDesktop.App 5.0.6 [C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App]

• Visual studio 2019 16.10.0

[javiercn]

@JohanArleth thanks for contacting us.

Check out the docs for how to do this here

[JohanArleth]

@JohanArleth thanks for contacting us.

Check out the docs for how to do this here

Those are the docs I've been following.
Can you point out what I'm doing differently than those docs mention?

[javiercn]

@JohanArleth no problem, thanks for the details.

Is this AAD or AAD B2C? Seems like AAD?

Thanks for contacting us.

We're moving this issue to the Next sprint planning milestone for future evaluation / consideration. We would like to keep this around to collect more feedback, which can help us with prioritizing this work. We will re-evaluate this issue, during our next planning meeting(s).
If we later determine, that the issue has no community involvement, or it's very rare and low-impact issue, we will close it - so that the team can focus on more important and high impact issues.
To learn more about what to expect next and how this issue will be handled you can read more about our triage process here.