Forum Discussion

jonenst's avatar
jonenst
Copper Contributor
Jun 01, 2021

400 Bad Request UndefinedScope ProfileBadRequestException on /oidc/userinfo for some users

Hi,

our working setup stopped working sometime at the end of may (not sure of the exact date). We request a token from the authorization endpoint https://login.microsoftonline.com/<TENANT-ID>/oauth2/v2.0/authorize with the following scopes: "openid User.read profile"

 

we then issue a request to https://graph.microsoft.com/oidc/userinfo with the Authorization: Bearer <TOKEN> and get

 

{
  "error": {
    "code": "BadRequest",
    "message": "{\r\n  \"error\":{\r\n    \"code\":\"UndefinedScope\",\"message\":\"Exception of type 'Microsoft.Fast.Profile.Core.Exception.ProfileBadRequestException' was thrown.\"\r\n  }\r\n}",
    "innerError": {
      "date": "2021-06-01T10:52:35",
      "request-id": "32aeff66-a806-4732-bbba-6872994ef2f7",
      "client-request-id": "32aeff66-a806-4732-bbba-6872994ef2f7"
    }
  }
}

 

 

this used to work for all users. our app is configured to accept "Accounts in any organizational directory (Any Azure AD directory - Multitenant) and personal Microsoft accounts (e.g. Skype, Xbox)".

This works for professional accounts on my tenantid, but it doesn't work for personal account (tenantid 9188040d-6c67-4c5b-b112-36a304b66dad )

Can you offer any advice ? Thanks in advance

Azure Active Directory (AAD)

5 Replies

  • Demetree's avatar
    Demetree
    Copper Contributor
    Jun 03, 2021

    jonenst , I had this same issue, and I found a workaround.

     

    I used this end point instead to get the user info, and it worked  https://graph.microsoft.com/v1.0/me

     

    The object returned is slightly different property name wise, but I'm able to get data from it with my personal account.

     

    Hope this helps.

     

    • jonenst's avatar
      jonenst
      Copper Contributor
      Jun 07, 2021

      Hi, thanks for the reply. Nice to know I'm not the only one.

      I just tested https://graph.microsoft.com/v1.0/me and indeed it returns my name and some other things.

       

      However I can't use it because my code is not specific to azure's oidc provider. My code only gets the user_info endpoint from the  https://login.microsoftonline.com/common/v2.0/.well-known/openid-configuration document and uses that.

       

      Do you know if I can report this to the team running "https://graph.microsoft.com/oidc/userinfo" ?

      Thanks a lot

      • Demetree's avatar
        Demetree
        Copper Contributor
        Jun 07, 2021

        jonenst it sounds like this will need to be addressed on the Microsoft side if you're constrained by the values from the config document.

         

        Unfortunately, I'm not aware of what the process to formally report it is.

         

        Cheers,

         

        Demetree

         

Resources