Error : The token does not have one or more required security scopes

%3CLINGO-SUB%20id%3D%22lingo-sub-2158648%22%20slang%3D%22en-US%22%3EError%20%3A%20The%20token%20does%20not%20have%20one%20or%20more%20required%20security%20scopes%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2158648%22%20slang%3D%22en-US%22%3E%3CP%3EHi%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20want%20to%20make%20a%20simple%20application%20that%20retrives%20all%20the%20print%20jobs%20of%20a%20specific%20printer%20but%20I%20encountered%20an%20issue%20when%20I%20want%20to%20call%20the%20api%20%22jobs%22%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20follow%20the%20document%20%22Quickstart%3A%20Register%20an%20application%20with%20the%20Microsoft%20identity%20platform%22%20(%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Ffr-fr%2Fazure%2Factive-directory%2Fdevelop%2Fquickstart-register-app%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Ffr-fr%2Fazure%2Factive-directory%2Fdevelop%2Fquickstart-register-app%3C%2FA%3E)%3C%2FP%3E%3CP%3E1.%20I%20Register%20an%20new%20application%20with%20the%20account%20%22%3CSPAN%20class%3D%22sxs-lookup%22%3E%3CSPAN%3E%3CSTRONG%3EAccounts%20in%20this%20organizational%20directory%20only%3C%2FSTRONG%3E%3C%2FSPAN%3E%3C%2FSPAN%3E%22%3C%2FP%3E%3CP%3E2.%20I%20added%20a%20client%20secret%3C%2FP%3E%3CP%3E3.%20I%20added%20the%20application%20permission%20%22PrintJob.Read.All%22%2C%20permission%20to%20list%20the%20print%20jobs%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EMy%20application%20is%20very%20simple%3C%2FP%3E%3CP%3E1.%20I%20retrieve%20an%20acces%20token%20by%20calling%20the%20url%20%3CA%20href%3D%22https%3A%2F%2Flogin.microsoftonline.com%2Fcartadis.com%2Foauth2%2Fv2.0%2Ftoken%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noreferrer%22%3Ehttps%3A%2F%2Flogin.microsoftonline.com%2Fcartadis.com%2Foauth2%2Fv2.0%2Ftoken%3C%2FA%3E%20in%20POST%20method%20with%20the%20parameters%3C%2FP%3E%3CP%3E%26nbsp%3B%20grant_type%3Dclient_credentials%3C%2FP%3E%3CP%3E%26nbsp%3B%20client_id%3D%3CID%20of%3D%22%22%20my%3D%22%22%20app%3D%22%22%20in%3D%22%22%20azure%3D%22%22%3E%3C%2FID%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%20client_secret%3D%3CSECRET%20of%3D%22%22%20my%3D%22%22%20app%3D%22%22%3E%3C%2FSECRET%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%20scope%3D%3CA%20href%3D%22https%3A%2F%2Fgraph.microsoft.com%2F.default%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fgraph.microsoft.com%2F.default%3C%2FA%3E%3C%2FP%3E%3CP%3E2.%20I%20call%20the%20url%20%3CA%20target%3D%22_blank%22%20rel%3D%22noopener%22%3Ehttps%3A%2F%2Fgraph.microsoft.com%2Fbeta%2Fprint%2Fprinters%2F%3CID_OF_MY_PRINTER%3E%2Fjobs%3C%2FID_OF_MY_PRINTER%3E%3C%2FA%3E%20with%20the%20token%20retrieved%20previously%20in%20the%20header%20name%20%22Authorization%22%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EBut%20each%20time%2C%20I%20have%20a%20403%20error%20%22%3CSPAN%3EThe%20token%20does%20not%20have%20one%20or%20more%20required%20security%20scopes%3C%2FSPAN%3E%22%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22VIiyi%22%3E%3CSPAN%20class%3D%22JLqJ4b%20ChMk0b%22%3E%3CSPAN%3EI%20forgot%20something%20%3F%20Ideas%20%3F%3CBR%20%2F%3E%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22VIiyi%22%3E%3CSPAN%20class%3D%22JLqJ4b%20ChMk0b%22%3E%3CSPAN%3EThanks%20in%20advanced%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22VIiyi%22%3E%3CSPAN%20class%3D%22JLqJ4b%20ChMk0b%22%3E%3CSPAN%3ERegards%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2160887%22%20slang%3D%22en-US%22%3ERe%3A%20Error%20%3A%20The%20token%20does%20not%20have%20one%20or%20more%20required%20security%20scopes%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2160887%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F903578%22%20target%3D%22_blank%22%3E%40xmoncomble%3C%2FA%3E%26nbsp%3Bfor%20the%20user%20account%20are%20you%20are%20using%20when%20calling%20the%20Graph%20API%20to%20retrieve%20the%20jobs%2C%20is%20the%20user%20account%20assigned%20the%20Printer%20Administrator%20role%20and%20have%20a%20Universal%20Print%20license%3F%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EIf%20the%20user%20account%20already%20have%20the%20right%20permissions%2C%20you%20can%20decode%20the%20token%20using%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fadfshelp.microsoft.com%2FJwtDecoder%2FGetToken%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3EJWT%20Decoder%20%7C%20AD%20FS%20Help%20(microsoft.com)%3C%2FA%3E%26nbsp%3Bto%20see%20what%20permission%20scopes%20the%20token%20has.%26nbsp%3B%20You%20can%20use%20the%20%22Developer%20Tools%22%20within%20the%20browser%20to%20capture%20the%20network%20traffic%20and%20looking%20at%20the%20header%20for%20the%20call%20to%20the%20Graph%20API.%26nbsp%3B%20Copy%20the%20value%20after%20%22Bearer%22%20string%20in%20the%20%22Authorization%3A%22%20header%20and%20paste%20it%20into%20the%20decoder.%26nbsp%3B%20You'll%20want%20to%20search%20for%20%22scp%22%20in%20the%20decoded%20result%20to%20see%20what%20scopes%20the%20token%20is%20carrying.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EHTH%2C%3C%2FP%3E%0A%3CP%3EJimmy%3C%2FP%3E%3C%2FLINGO-BODY%3E
New Contributor

Hi

 

I want to make a simple application that retrives all the print jobs of a specific printer but I encountered an issue when I want to call the api "jobs"

 

I follow the document "Quickstart: Register an application with the Microsoft identity platform" (https://docs.microsoft.com/fr-fr/azure/active-directory/develop/quickstart-register-app)

1. I Register an new application with the account "Accounts in this organizational directory only"

2. I added a client secret

3. I added the application permission "PrintJob.Read.All", permission to list the print jobs

 

My application is very simple

1. I retrieve an acces token by calling the url https://login.microsoftonline.com/cartadis.com/oauth2/v2.0/token in POST method with the parameters

  grant_type=client_credentials

  client_id=<id of my app in azure>

  client_secret=<secret of my app>

  scope=https://graph.microsoft.com/.default

2. I call the url https://graph.microsoft.com/beta/print/printers/<id_of_my_printer>/jobs with the token retrieved previously in the header name "Authorization"

 

But each time, I have a 403 error "The token does not have one or more required security scopes"

 

I forgot something ? Ideas ?

 

Thanks in advanced

 

Regards

2 Replies

@xmoncomble for the user account are you are using when calling the Graph API to retrieve the jobs, is the user account assigned the Printer Administrator role and have a Universal Print license?

 

If the user account already have the right permissions, you can decode the token using JWT Decoder | AD FS Help (microsoft.com) to see what permission scopes the token has.  You can use the "Developer Tools" within the browser to capture the network traffic and looking at the header for the call to the Graph API.  Copy the value after "Bearer" string in the "Authorization:" header and paste it into the decoder.  You'll want to search for "scp" in the decoded result to see what scopes the token is carrying.

 

HTH,

Jimmy

@Jimmy_WuI understood where the problem came from : a permission was missing.
By adding the application permission Printer.ReadWrite.All, my application is now able to list the jobs of my printer