Setup Microsoft Identify Platform and "Missing grant for this add-in" for localhost #3126
Description
(* Link in Stack Overflow *)
I have an Excel add-in where single sign-on was implemented, but recently I realize that the SSO does not work anymore. So I tried to debug it in localhost.
First, I met the Missing grant for this add-in error in my add-in. Then, I had the same error with the sample project: https://learn.microsoft.com/en-us/office/dev/add-ins/quickstarts/sso-quickstart. Note that I don't have this error with https://learn.microsoft.com/en-us/office/dev/add-ins/develop/create-sso-office-add-ins-nodejs.
I created a test Azure account: test.sso.2023@gmail.com with the password retzub-Tepfuf-9quwpo (please let me know if we can share a password here, but the account is set totally for this testing purpose) and registered the app. I put the updated code of sso-quickstart that produces the error in this repository.
After launching the code we could sign in Excel Online in Chrome, then sideload the add-in. Clicking on the button Get My User Profile Information launched Office.auth.getAccessToken, which raised the error POST https://login.microsoftonline.com/consumers/oauth2/v2.0/token 400 (Bad Request) and Missing grant for this add-in.
The request https://login.microsoftonline.com/consumers/oauth2/v2.0/token returned
AADSTS70000: The request was denied because one or more scopes requested are unauthorized or expired. The user must first sign in and grant the client application access to the requested scope...
The JSON of my settings on the Microsoft Identity Platform:
{
"id": "f61962fb-722b-465f-a265-4a1e70a744e3",
"acceptMappedClaims": null,
"accessTokenAcceptedVersion": 2,
"addIns": [],
"allowPublicClient": null,
"appId": "e55f4769-4293-4b71-94ea-5eb16dcfe41d",
"appRoles": [],
"oauth2AllowUrlPathMatching": false,
"createdDateTime": "2023-01-31T19:16:20Z",
"description": null,
"certification": null,
"disabledByMicrosoftStatus": null,
"groupMembershipClaims": null,
"identifierUris": [
"api://localhost:3000/e55f4769-4293-4b71-94ea-5eb16dcfe41d"
],
"informationalUrls": {
"termsOfService": null,
"support": null,
"privacy": null,
"marketing": null
},
"keyCredentials": [],
"knownClientApplications": [],
"logoUrl": null,
"logoutUrl": null,
"name": "sso",
"notes": null,
"oauth2AllowIdTokenImplicitFlow": false,
"oauth2AllowImplicitFlow": false,
"oauth2Permissions": [
{
"adminConsentDescription": "Allow Office to have read/write permissions to all user files and read permissions to all user mail. Office can call the app's web APIs as the current user.",
"adminConsentDisplayName": "Read/write permissions to user files. Read permissions to user mail and profiles.",
"id": "9b6c01b1-9818-4eb3-898c-e412fad8ae03",
"isEnabled": true,
"lang": null,
"origin": "Application",
"type": "User",
"userConsentDescription": "Allow Office to have read/write permissions to your files, and read permissions to your mail and profile.",
"userConsentDisplayName": "Read/write permissions to your files. Read permissions to your mail and profile.",
"value": "access_as_user"
}
],
"oauth2RequirePostResponse": false,
"optionalClaims": null,
"orgRestrictions": [],
"parentalControlSettings": {
"countriesBlockedForMinors": [],
"legalAgeGroupRule": "Allow"
},
"passwordCredentials": [
{
"customKeyIdentifier": null,
"endDate": "2023-07-30T18:17:18.762Z",
"keyId": "10c2239b-b83c-4085-b277-a37931990aa1",
"startDate": "2023-01-31T19:17:18.762Z",
"value": null,
"createdOn": "2023-01-31T19:17:25.3206496Z",
"hint": "~l2",
"displayName": "secret"
}
],
"preAuthorizedApplications": [
{
"appId": "ea5a67f6-b6f3-4338-b240-c655ddc3cc8e",
"permissionIds": [
"9b6c01b1-9818-4eb3-898c-e412fad8ae03"
]
},
{
"appId": "d3590ed6-52b3-4102-aeff-aad2292ab01c",
"permissionIds": [
"9b6c01b1-9818-4eb3-898c-e412fad8ae03"
]
},
{
"appId": "93d53678-613d-4013-afc1-62e9e444a0a5",
"permissionIds": [
"9b6c01b1-9818-4eb3-898c-e412fad8ae03"
]
}
],
"publisherDomain": null,
"replyUrlsWithType": [
{
"url": "https://localhost:3000/fallbackauthdialog.html",
"type": "Spa"
}
],
"requiredResourceAccess": [
{
"resourceAppId": "00000003-0000-0000-c000-000000000000",
"resourceAccess": [
{
"id": "14dad69e-099b-42c9-810b-d002981feec1",
"type": "Scope"
},
{
"id": "e1fe6dd8-ba31-4d61-89e7-88639da4683d",
"type": "Scope"
},
{
"id": "37f7f235-527c-4136-accd-4a02d197296e",
"type": "Scope"
}
]
}
],
"samlMetadataUrl": null,
"signInUrl": null,
"signInAudience": "AzureADandPersonalMicrosoftAccount",
"tags": [],
"tokenEncryptionKeyId": null
}
And API permissions which can also be found in the above JSON:
Does anyone know what may be the cause of this error?