Microsoft Secure Tech Accelerator
Apr 03 2024, 07:00 AM - 11:00 AM (PDT)
Microsoft Tech Community

400 Bad Request UndefinedScope ProfileBadRequestException on /oidc/userinfo for some users

Copper Contributor

Hi,

our working setup stopped working sometime at the end of may (not sure of the exact date). We request a token from the authorization endpoint https://login.microsoftonline.com/<TENANT-ID>/oauth2/v2.0/authorize with the following scopes: "openid User.read profile"

 

we then issue a request to https://graph.microsoft.com/oidc/userinfo with the Authorization: Bearer <TOKEN> and get

 

{
  "error": {
    "code": "BadRequest",
    "message": "{\r\n  \"error\":{\r\n    \"code\":\"UndefinedScope\",\"message\":\"Exception of type 'Microsoft.Fast.Profile.Core.Exception.ProfileBadRequestException' was thrown.\"\r\n  }\r\n}",
    "innerError": {
      "date": "2021-06-01T10:52:35",
      "request-id": "32aeff66-a806-4732-bbba-6872994ef2f7",
      "client-request-id": "32aeff66-a806-4732-bbba-6872994ef2f7"
    }
  }
}

 

 

this used to work for all users. our app is configured to accept "Accounts in any organizational directory (Any Azure AD directory - Multitenant) and personal Microsoft accounts (e.g. Skype, Xbox)".

This works for professional accounts on my tenantid, but it doesn't work for personal account (tenantid 9188040d-6c67-4c5b-b112-36a304b66dad )

Can you offer any advice ? Thanks in advance

5 Replies

@jonenst , I had this same issue, and I found a workaround.

 

I used this end point instead to get the user info, and it worked  https://graph.microsoft.com/v1.0/me

 

The object returned is slightly different property name wise, but I'm able to get data from it with my personal account.

 

Hope this helps.

 

Hi, thanks for the reply. Nice to know I'm not the only one.

I just tested https://graph.microsoft.com/v1.0/me and indeed it returns my name and some other things.

 

However I can't use it because my code is not specific to azure's oidc provider. My code only gets the user_info endpoint from the  https://login.microsoftonline.com/common/v2.0/.well-known/openid-configuration document and uses that.

 

Do you know if I can report this to the team running "https://graph.microsoft.com/oidc/userinfo" ?

Thanks a lot

Hi, I am also facing the same issue recently, did you found any solution on this?. Thanks in advance.

@jonenst it sounds like this will need to be addressed on the Microsoft side if you're constrained by the values from the config document.

 

Unfortunately, I'm not aware of what the process to formally report it is.

 

Cheers,

 

Demetree

 

Testing again, it works now. apparently it was fixed this summer in their server.