Better error messages when setting scopes for "auth_type_flow=credentials"?

[ldorigo]

Hello, thanks for providing this library.

I was trying to set it up with a "own identity" authorization flow, and it took me a really long time to figure out what was wrong with my approach. I think the experience could be easily improved with better error messages. Here is what I tried:

1. setting the scopes using scope helpers on the account constructor

protocol = O365.MSGraphProtocol() 
scopes = ["basic"]
credentials = (client_id, value)
account = O365.Account(
    credentials, protocol=protocol, auth_flow_type="credentials", tenant_id=tenantID, scopes=scopes
)
if account.authenticate():
    print("Authenticated!")

This results in the following error:

Unable to fetch auth token. Error: (invalid_scope) AADSTS1002012: The provided value for scope basic is not valid. Client credential flows must have a scope value with /.default suffixed to the resource identifier (application ID URI).
Trace ID: 67e2b82a-a699-4961-8023-4ef550ede001
Correlation ID: 2729b5f6-b67f-4fa7-ba75-719c4ebaccf2
Timestamp: 2021-08-12 13:23:55Z

2. getting the actual scopes for the protocol before setting them

protocol = O365.MSGraphProtocol() 
# scopes_graph = protocol.get_scopes_for(['basic'])
scopes = protocol.get_scopes_for([ 'basic' ])

credentials = (client_id, value)
account = O365.Account(
    credentials, protocol=protocol, auth_flow_type="credentials", tenant_id=tenantID
)
if account.authenticate(scopes = scopes):
    print("Authenticated!")

This gives another error message:

Unable to fetch auth token. Error: (invalid_scope) AADSTS1002012: The provided value for scope https://graph.microsoft.com/User.Read offline_access is not valid. Client credential flows must have a scope value with /.default suffixed to the resource identifier (application ID URI).
Trace ID: 7fddd33e-dbbc-47ce-afdb-5dc378e0a201
Correlation ID: 7dddb97c-3484-41f8-a10a-74d229b31c0d
Timestamp: 2021-08-12 13:30:02Z

After seeing this I remembered reading something in the readme and indeed found the following paragraph:

Instantiate an Account object with the credentials (client id and client secret), specifying the parameter auth_flow_type to "credentials". You also need to provide a 'tenant_id'. You don't need to specify any scopes.

While I should have read more carefully, that small sentence is very easy to overlook - and the error messages (especially in case 1) are really not helpful.

You might consider adding a very simple check to the constructor of Account and to the authenticate method and throw an exception in case scopes are passed when the auth_flow_type is set to "credentials" :-)

[alejcas]

It is clearly explanied even multiple times...

for example:

When authenticating with your own identity:

Instantiate an Account object with the credentials (client id and client secret), specifying the parameter auth_flow_type to "credentials". You also need to provide a 'tenant_id'. You don't need to specify any scopes.

Or here:

However, I will see if I can include this check. Thanks