How to get valid AAD v2 token using MSAL.js for Azure DevOps

Question

ADAL.js and AAD v1 works to access Azure DevOps using delegated user_impersonation scope.

I used the same AAD Application Id with delegated permissions to generate access tokens using MSAL.js. The tokens were created successfully, but the access token does not work to access Azure DevOps.

The only meaningful difference in the decoded JWT token is that the "aud" claims are different.

In ADAL/v1, the aud is the application id of Azure DevOps:

"aud": "499b84ac-1321-427f-aa17-267ca6975798"

In MSAL/v1, the aud is the unique uri for Azure DevOps:

"aud": "https://app.vssps.visualstudio.com"

Has anyone been able to use MSAL.js with user_impersonation delegated permissions to access Azure DevOps rest API? If so, are there something missing to get MSAL to work?

Is it possible that their JWT validation just doesn't yet account for the second audience value?

Answer 1

It looks like Azure DevOps is a v1.0 application, so I was trying to make it work with the wrong v2.0 scope that Azure Portal suggested when setting up the delegated permissions:

scopes: ['https://app.vssps.visualstudio.com/user_impersonation']

However, according to this doc , the scope should use the resource Id as a prefix when talking with v1.0 applications. Here is the working scope with Azure DevOps resource id:

scopes: ['499b84ac-1321-427f-aa17-267ca6975798/user_impersonation']

This fixes the issue with the aud field, so that I again have a JWT aud claim with 499b84ac-1321-427f-aa17-267ca6975798.

Hopes that this helps someone else blocked on this issue.

Answer 2

I believe you need to pass a scope of '499b84ac-1321-427f-aa17-267ca6975798/.default' to the MSAL acquireTokenSilent . The token that gives you should work with DevOps.

myMsalInstance.acquireTokenSilent(['499b84ac-1321-427f-aa17-267ca6975798/.default'])

Similar issue located here: Getting OAuth tokens for Azure DevOps API consumption