Skip to content

InteractionRequiredAuthError not caught in AuthCodeMSALBrowserAuthenticationProvider #1969

New issue
New issue
Open
Open
InteractionRequiredAuthError not caught in AuthCodeMSALBrowserAuthenticationProvider#1969
Labels
status:waiting-for-triageAn issue that is yet to be reviewed or assignedtype:bugA broken experience
@richard-einfinity

Description

@richard-einfinity
richard-einfinity
opened on Sep 7, 2025

Describe the bug

I am trying to increment my consent using and new scope using the AuthCodeMSALBrowserAuthenticationProvider but the browser doesn't prompt for interaction via the specified interaction type. (Popup / Redirect)

Expected behavior

If the scope doesn't exist the existing token the user should be prompted to consent.

How to reproduce

Setup the AuthCodeMSALBrowserAuthenticationProvider with a scope not previously consented.

const authProvider = new AuthCodeMSALBrowserAuthenticationProvider(
      instance as PublicClientApplication,
      {
        scopes: ["User.Read", "User.ReadBasic.All"],
        account: instance.getActiveAccount()!,
        interactionType: InteractionType.Redirect,
      }
    );

Attempt to call the GraphClient

const graphClient = Client.initWithMiddleware({
  authProvider,
});

const user: User = await graphClient
    .api("/me")
    .select([
      "displayName",
      "givenName",
      "id",
      "mail",
      "mobilePhone",
      "officeLocation",
      "preferredLanguage",
      "surname",
      "userPrincipalName",
      "jobTitle",
      "companyName",
    ])
    .get();

SDK Version

3.0.7

Latest version known to work for scenario above?

No response

Known Workarounds

Specify the scopes in initial interactive login.

Debug output

Click to expand log ```

Uncaught (in promise) _GraphError: invalid_grant: AADSTS65001: The user or administrator has not consented to use the application with ID 'xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx' named 'xxxxxxx'. Send an interactive authorization request for this user and resource. Trace ID: 53d15b9f-5e08-4e70-90fc-1448ddff9000 Correlation ID: 01992380-12dc-70c6-a2a2-33f9f074dd3b Timestamp: 2025-09-07 09:27:00Z

</details>


### Configuration

_No response_

### Other information

It would seem that the error thrown is not being caught as an instance of InteractionRequiredAuthError here.

[AuthCodeMSALBrowserAuthenticationProvider.ts](https://github.com/microsoftgraph/msgraph-sdk-javascript/blame/db1757abe7a4cad310f0cd4d7d2a83b961390cce/src/authentication/msal-browser/AuthCodeMSALBrowserAuthenticationProvider.ts#L65C5-L76C4)

Setting a breakpoint and inspecting the output shows this:-

**error**
: 
Error at new GraphClientError2 (http://localhost:5173/node_modules/.vite/deps/@microsoft_microsoft-graph-client_authProviders_authCodeMsalBrowser.js?v=3372f56d:16797:30) at AuthCodeMSALBrowserAuthenticationProvider2.<anonymous> (http://localhost:5173/node_modules/.vite/deps/@microsoft_microsoft-graph-client_authProviders_authCodeMsalBrowser.js?v=3372f56d:16845:27) at step (http://localhost:5173/node_modules/.vite/deps/chunk-QXXCRS6M.js?v=4882f8fb:208:17) at Object.next (http://localhost:5173/node_modules/.vite/deps/chunk-QXXCRS6M.js?v=4882f8fb:160:14) at http://localhost:5173/node_modules/.vite/deps/chunk-QXXCRS6M.js?v=4882f8fb:147:67 at new Promise (<anonymous>) at Object.__awaiter (http://localhost:5173/node_modules/.vite/deps/chunk-QXXCRS6M.js?v=4882f8fb:129:10) at AuthCodeMSALBrowserAuthenticationProvider2.getAccessToken (http://localhost:5173/node_modules/.vite/deps/@microsoft_microsoft-graph-client_authProviders_authCodeMsalBrowser.js?v=3372f56d:16838:26) at _AuthenticationHandler.<anonymous> (http://localhost:5173/node_modules/.vite/deps/@microsoft_microsoft-graph-client.js?v=8e109230:803:52) at Generator.next (<anonymous>)
stack
: 
"Error\n    at new GraphClientError2 (http://localhost:5173/node_modules/.vite/deps/@microsoft_microsoft-graph-client_authProviders_authCodeMsalBrowser.js?v=3372f56d:16797:30)\n    at AuthCodeMSALBrowserAuthenticationProvider2.<anonymous> (http://localhost:5173/node_modules/.vite/deps/@microsoft_microsoft-graph-client_authProviders_authCodeMsalBrowser.js?v=3372f56d:16845:27)\n    at step (http://localhost:5173/node_modules/.vite/deps/chunk-QXXCRS6M.js?v=4882f8fb:208:17)\n    at Object.next (http://localhost:5173/node_modules/.vite/deps/chunk-QXXCRS6M.js?v=4882f8fb:160:14)\n    at http://localhost:5173/node_modules/.vite/deps/chunk-QXXCRS6M.js?v=4882f8fb:147:67\n    at new Promise (<anonymous>)\n    at Object.__awaiter (http://localhost:5173/node_modules/.vite/deps/chunk-QXXCRS6M.js?v=4882f8fb:129:10)\n    at AuthCodeMSALBrowserAuthenticationProvider2.getAccessToken (http://localhost:5173/node_modules/.vite/deps/@microsoft_microsoft-graph-client_authProviders_authCodeMsalBrowser.js?v=3372f56d:16838:26)\n    at _AuthenticationHandler.<anonymous> (http://localhost:5173/node_modules/.vite/deps/@microsoft_microsoft-graph-client.js?v=8e109230:803:52)\n    at Generator.next (<anonymous>)"
[[Prototype]]
: 
Error

**error_1**
: 
InteractionRequiredAuthError: invalid_grant: AADSTS65001: The user or administrator has not consented to use the application with ID 'xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx' named 'xxxxx'. Send an interactive authorization request for this user and resource. Trace ID: a78c4369-1ba1-4643-9bc6-a41118743b00 Correlation ID: 01992398-5e93-72f1-97cb-19d935dc8e56 Timestamp: 2025-09-07 09:53:32Z at _ResponseHandler.validateTokenResponse (http://localhost:5173/node_modules/.vite/deps/chunk-PJPP7UDJ.js?v=4882f8fb:5595:15) at RefreshTokenClient.acquireToken (http://localhost:5173/node_modules/.vite/deps/chunk-PJPP7UDJ.js?v=4882f8fb:6052:21) at async RefreshTokenClient.acquireTokenWithCachedRefreshToken (http://localhost:5173/node_modules/.vite/deps/chunk-PJPP7UDJ.js?v=4882f8fb:6109:14)
claims
: 
""
correlationId
: 
"01992398-5eb9-7c07-9a34-c2a893c5371a"
errorCode
: 
"invalid_grant"
errorMessage
: 
"AADSTS65001: The user or administrator has not consented to use the application with ID 'xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx' named 'xxxx'. Send an interactive authorization request for this user and resource. Trace ID: a78c4369-1ba1-4643-9bc6-a41118743b00 Correlation ID: 01992398-5e93-72f1-97cb-19d935dc8e56 Timestamp: 2025-09-07 09:53:32Z"
errorNo
: 
65001
name
: 
"InteractionRequiredAuthError"
subError
: 
"consent_required"
timestamp
: 
"2025-09-07 09:53:32Z"
traceId
: 
"a78c4369-1ba1-4643-9bc6-a41118743b00"
message
: 
"invalid_grant: AADSTS65001: The user or administrator has not consented to use the application with ID 'xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx' named 'xxxx'. Send an interactive authorization request for this user and resource. Trace ID: a78c4369-1ba1-4643-9bc6-a41118743b00 Correlation ID: 01992398-5e93-72f1-97cb-19d935dc8e56 Timestamp: 2025-09-07 09:53:32Z"
stack
: 
"InteractionRequiredAuthError: invalid_grant: AADSTS65001: The user or administrator has not consented to use the application with ID 'xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx' named 'xxxx'. Send an interactive authorization request for this user and resource. Trace ID: a78c4369-1ba1-4643-9bc6-a41118743b00 Correlation ID: 01992398-5e93-72f1-97cb-19d935dc8e56 Timestamp: 2025-09-07 09:53:32Z\n    at _ResponseHandler.validateTokenResponse (http://localhost:5173/node_modules/.vite/deps/chunk-PJPP7UDJ.js?v=4882f8fb:5595:15)\n    at RefreshTokenClient.acquireToken (http://localhost:5173/node_modules/.vite/deps/chunk-PJPP7UDJ.js?v=4882f8fb:6052:21)\n    at async RefreshTokenClient.acquireTokenWithCachedRefreshToken (http://localhost:5173/node_modules/.vite/deps/chunk-PJPP7UDJ.js?v=4882f8fb:6109:14)"
[[Prototype]]
: 
_AuthError

Metadata

Metadata

Assignees

No one assigned

    Labels

    status:waiting-for-triageAn issue that is yet to be reviewed or assignedtype:bugA broken experience

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions