'Microsoft OAuth "scope that doesn't exist" error response

I'm using Microsoft oauth2 authorization; usually it works fine - but not for one user. He get's this error:

AADSTS650053: The application *** asked for scope 'openid,profile,offline_access,user.read,calendars.readwrite' that doesn't exist on the resource '00000003-0000-0000-c000-000000000000'. Contact the app vendor. Trace ID: 4d2d1b15-cd7c-4b62-beda-e2013dd58500 Correlation ID: b6f14fc5-d781-4901-a4eb-6dc235e28e03

So the scope is always the same but for some clients "that doesn't exist". Does anybody know the issue?

Some of my Azure app details:

Supported account types: All Microsoft account users
API permissions: Calendars.ReadWrite offline_access openid profile User.Read

In the manifest:

"acceptMappedClaims": null,
"accessTokenAcceptedVersion": 2,
"addIns": [],
"allowPublicClient": null,
"appRoles": [],
"oauth2AllowUrlPathMatching": false,
"description": null,
"certification": null,
"disabledByMicrosoftStatus": null,
"groupMembershipClaims": null,
"identifierUris": [],
"oauth2AllowIdTokenImplicitFlow": false,
"oauth2AllowImplicitFlow": false,
"oauth2Permissions": [],
"oauth2RequirePostResponse": false,
"optionalClaims": {
    "idToken": [],
    "accessToken": [],
    "saml2Token": []
},
"orgRestrictions": [],
"parentalControlSettings": {
    "countriesBlockedForMinors": [],
    "legalAgeGroupRule": "Allow"
},
...
"samlMetadataUrl": null,
"signInAudience": "AzureADandPersonalMicrosoftAccount",
"tokenEncryptionKeyId": null
oauth-2.0azure-active-directorymicrosoft-graph-api


Sources

This article follows the attribution requirements of Stack Overflow and is licensed under CC BY-SA 3.0.

Source: Stack Overflow

Solution Source

Related Questions

No authentication handler is registered for the scheme 'Cookies'. The registered schemes are: Application, Bearer, ASOS

Modern Oauth2 authentication for sending mails using Nodemailer nodejs

Spring Security: How to use a UserDetailsService with JwtAuthenticationProvider?

How do I validate a JWT using JwtSecurityTokenHandler and a JWKS endpoint?

Change the preferred_username in token for client credential grant flow

How to convert guild.permissions number into an array of persmissions discord.js oauth2

how to config apache jmeter 2.6 oauth 2.0

oauth-private.key does not exist or is not readable

ASP.NET Web API Google OAuth keep return "Access Denied"

Java - OAuth 2 using restTemplate to get login with refresh token (StackOverFlowError)

AWS Cognito; unauthorized_client error when hitting /oauth2/token

AWS Cognito; unauthorized_client error when hitting /oauth2/token

Salesforce OAuth User Agent Flow: obtain refresh token with

JWT "invalid_grant" in Signature in Google OAuth2

"Full authentication is required to access this resource" on spring oauth2 authorization server on /oauth/token request