MSAL Error message AADSTS65005 when trying to get token for accessing custom api

问题

I downloaded the example below to get an access token from MS Graph and it worked fine. Now I changed the code to get a token from a custom web API. On apps.dev.microsoft.com I registered a client application and an the API.

Client and server registration in AD

private static async Task<AuthenticationResult> GetToken()
    {
        const string clientId = "185adc28-7e72-4f07-a052-651755513825";

        var clientApp = new PublicClientApplication(clientId);

        AuthenticationResult result = null;

        string[] scopes = new string[] { "api://f69953b0-2d7f-4523-a8df-01f216b55200/Test" };

        try
        {
            result = await clientApp.AcquireTokenAsync(scopes, "", UIBehavior.SelectAccount, string.Empty);
        }
        catch (Exception x)
        {
            if (x.Message == "User canceled authentication")
            {

            }
            return null;
        }
        return result;
    }

When I run the code I login to AD via the dialog en get the following exception in the debugger:

Error: Invalid client Message = "AADSTS65005: The application 'CoreWebAPIAzureADClient' asked for scope 'offline_access' that doesn't exist on the resource. Contact the app vendor.\r\nTrace ID: 56a4b5ad-8ca1-4c41-b961-c74d84911300\r\nCorrelation ID: a4350378-b802-4364-8464-c6fdf105cbf1\r...

Error message

Help appreciated trying for days...

回答1:

As of today, the V2 Endpoint does not support API access other than the Microsoft Graph. See the limitations of the V2 app model here.

Standalone Web APIs

You can use the v2.0 endpoint to build a Web API that is secured with OAuth 2.0. However, that Web API can receive tokens only from an application that has the same Application ID. You cannot access a Web API from a client that has a different Application ID. The client won't be able to request or obtain permissions to your Web API.

For the specific scenario that you are trying to accomplish, you need to use the V1 App Model (register apps on https://portal.azure.com).

In the very near future, V2 apps will be enabled to call other APIs other than Microsoft Graph, so your scenario will be supported, but that is just not the case today. You should keep an eye out on our documentation for this update.

回答2:

In your (server) application registration in AAD, you need to specify your scopes in the oauth2Permissions element.

You may already have a user_impersonation scope set. Copy that as a baseline, give it a unique GUID and value, and then AAD will let your client request an access token with your new scope.

来源：https://stackoverflow.com/questions/45254631/msal-error-message-aadsts65005-when-trying-to-get-token-for-accessing-custom-api