AppAuth iOS Token Exchange Problems Azure AD

Question

I built a AppAuth test app for android using an Azure AD tenant and it works ok. Now I am trying to the same with iOS (Swift 4) and failing when trying to exchange an access code for access token. No error is returned, I do get an idToken but no accessToken or refreshToken. No other errors. Not sure what is going on. Without an access token I can't query the graph. I am using Azure AD v2. Here are some pieces of my code:

func appAuthAuthorize(authConfig: AuthConfig) {
    let serviceConfiguration = OIDServiceConfiguration(
        authorizationEndpoint: NSURL(string: authConfig.authEndPoint)! as URL,
        tokenEndpoint: NSURL(string: authConfig.tokenEndPoint)! as URL)

    let request = OIDAuthorizationRequest(configuration: serviceConfiguration, clientId: authConfig.clientId, scopes: [OIDScopeOpenID, OIDScopeProfile], redirectURL: NSURL(string: authConfig.redirectUri)! as URL, responseType: OIDResponseTypeCode, additionalParameters: nil)

    doAppAuthAuthorization(authRequest: request)
}


func doAppAuthAuthorization(authRequest: OIDAuthorizationRequest) {
    let appDelegate = UIApplication.shared.delegate as! AppDelegate

    appDelegate.currentAuthorizationFlow = OIDAuthorizationService.present(authRequest, presenting: self, callback: {
        (authorizationResponse, error) in
        if (authorizationResponse != nil) {
            self.authState = OIDAuthState(authorizationResponse: authorizationResponse!)
            self.logMessage(message: "Got authorization code: \(String(describing: self.authState?.lastAuthorizationResponse.authorizationCode))")
            self.doTokenRequest()
        } else {
            self.authState = nil
            self.logMessage(message: "Authorization error: \(String(describing: error?.localizedDescription))")
        }
    })
}

func doTokenRequest() {
    let tokenExchangeRequest = authState?.lastAuthorizationResponse.tokenExchangeRequest()

    OIDAuthorizationService.perform(tokenExchangeRequest!) {
        tokenResponse, error in
        if tokenResponse == nil{
            self.logMessage(message: "Token exchange error: \(error!.localizedDescription)")
        } else {
            self.authState?.update(with: tokenResponse!, error: error)
            self.saveState()
            self.logMessage(message: "Received token response with accesToken: \(tokenResponse!.idToken!)")
            self.logMessage(message: "Received token response with accesToken: \(tokenResponse!.refreshToken!)")
            self.logMessage(message: "Received token response with accesToken: \(tokenResponse!.accessToken!)")
            self.retrieveUserProfile()
        }

        self.authState?.update(with: tokenResponse, error: error)
    }
}

Answer 1

Got the answer. The problem is that depending on the authorization server, one has to use scopes defined for that server. In the code above, I used the default OpenId scopes of OIDScopeOpenID and OIDScopeProfile. As soon as I changed this to Azure AD scope of User.Read, everything started working correctly. So here is the net change to the code in function appAuthAuthorize:

func appAuthAuthorize(authConfig: AuthConfig) {
let serviceConfiguration = OIDServiceConfiguration(
    authorizationEndpoint: NSURL(string: authConfig.authEndPoint)! as URL,
    tokenEndpoint: NSURL(string: authConfig.tokenEndPoint)! as URL)

let request = OIDAuthorizationRequest(configuration: serviceConfiguration, clientId: authConfig.clientId, scopes: ["User.Read"], redirectURL: NSURL(string: authConfig.redirectUri)! as URL, responseType: OIDResponseTypeCode, additionalParameters: nil)

doAppAuthAuthorization(authRequest: request)

}