How to get valid AAD v2 token using MSAL.js for Azure DevOps
It looks like Azure DevOps is a v1.0 application, so I was trying to make it work with the wrong v2.0 scope that Azure Portal suggested when setting up the delegated permissions:
scopes: ['https://app.vssps.visualstudio.com/user_impersonation']
However, according to this doc, the scope should use the resource Id as a prefix when talking with v1.0 applications. Here is the working scope with Azure DevOps resource id:
scopes: ['499b84ac-1321-427f-aa17-267ca6975798/user_impersonation']
This fixes the issue with the aud field, so that I again have a JWT aud claim with 499b84ac-1321-427f-aa17-267ca6975798.
Hopes that this helps someone else blocked on this issue.
I believe you need to pass a scope of '499b84ac-1321-427f-aa17-267ca6975798/.default' to the MSAL acquireTokenSilent
. The token that gives you should work with DevOps.
myMsalInstance.acquireTokenSilent(['499b84ac-1321-427f-aa17-267ca6975798/.default'])
Similar issue located here: Getting OAuth tokens for Azure DevOps API consumption