I am trying to understand the correlation between the scopes I request in the Scope property of OpenIdConnectAuthenticationOptions and what is returned in my access token.
When I request only "openid profile" I get all the scopes that have been granted consent by the user or admin. Also the version of the access token returned seems to be dependent on the scopes request. For example if I include my registered "api://........". I believe I have both my web app and api configured in the manifest to version 2.
For example: "openid profile" returns the scopes "Directory.Read.All Group.Read.All User.Read profile openid email" in my access token.
Do certain scopes automatically map to others or is there some logic to this? For my own understanding I am trying to find some logical cause and effect to what's going on.
When you only put "openid profile" in scope, the default scopes in access token "Directory.Read.All Group.Read.All User.Read profile openid email" is for Microsoft Graph API by default. It is by design.
Because this access token is used to call the UserInfo endpoint, wherein the user information is actually from Microsoft Graph.
When you put "api://........" in scope, the access token will be for your API application. There is an aud claim in the access token, which identifies the intended recipient of the token. You can check that.
Related
Does User.Read "contain" the permissions email openid and profile? I've found that apps that are requesting the 3x scopes, can instead accept just the User.Read permission and still function equivalently
At work I'll get requests from the business to help them setup SSO using OIDC, and I'm not actually sure what permissions I should be giving them. Seems like either option works but I'd like to better understand what's happening
See my observations below:
I've created a basic Function App, and configured it to use OpenID Connect Image
My App Registration already has the User.Read permission with admin consent, so when I log into my Function, there's no issue.
Image
However, after removing the User.Read permission and logging in, I now get a permissions request prompt Image
And after consenting to the permissions, I can now see that email openid and profile permissions were added Image
Even more interesting, the permissions in the request prompt correlate to openid and offline_access, but offline_access wasn't added, while email and profile weren't in the request
I did find a similar question, but the accepted answer doesn't seem to align with what I see here
Generally I would favour the OAuth standard design where fields like these are Personally Identifiable Information (PII). So each app should only use the smallest scope it needs, as an information disclosure best practice. See also this Curity article.
Name
Email
Phone
Address
The Graph API can also be used with standard scopes, as in step 11 of this blog post of mine, where I wanted to get hold of user info in an API. So if this works for you I would prefer it. Personally I also prefer standard scopes so that my application code is portable.
Microsoft's design is based on each API requiring a different access token, the resource indicators spec. It is interesting, though perhaps not always intuitive. I am no expert on Azure AD though, and there may be some intended usage I do not understand.
User.Read is a scope intended to be used when requesting an access token for the Microsoft Graph API. It grants privileges to read the profile of the signed-in user only. A separate call to the Microsoft Graph API is required to retrieve the profile.
openid, email, profile and offline_access are OpenID Connect scopes:
openid is used to request an id token.
offline_access is used to request a refresh token which can later be used to get a new access token.
email to request an email claim.
profile to request several user claims (Eg.preferred_username).
Both email and profile can be used to augment information available in the UserInfo endpoint, however, it is recommended to use the id token which is already a superset of the information available at the aforementioned endpoint.
I have a React app that uses Azure B2C to authenticate users (PKCE flow).
There is a requirement to keep the session active as long as the user has some activity.
I cannot use "Rolling" for session timeout, because some of the requests are made by an independent job, which is not triggered by the user.
Here is my question - how can I control renewing the session? I would like to renew the session every time I am getting the access token.
Access tokens and ID tokens are short-lived. Since you are using the Authorization-Code Grant flow of OAuth, after they expire, you must refresh them to continue to access resources .
Hence in order to get the refresh-token, you would have to send a POST request to the /token endpoint of B2C with the scope .(i.e; Provide the refresh_token instead of the code in the rquest).see reference 1.
Make sure to add scopes along with AppId 'openid profile offline_access AppId’
Ex: scope: 'openid profile offline_access XXXXXX-f9a4-4b8e-XXXX-dXXXXXXX01f'
References:
Authorization code flow - Azure Active Directory B2C | Microsoft
Docs
microsoft-authentication-library-for-js/FAQ (github.com)
I set up Web Api Application in Azure AD and define some scopes here, also set up SPA Application and give permission to created scopes.
When I login I requested that definitely this api scope included and I need to give permission to it. But when I request token silently with this scope I couldn't find that it has been incorporated in token.
Here request to get token with app scope
Here what token I get (without my custom scope):
Could you help me, why it's happening?
User.Read is a permission of Microsoft Graph. It recognizes the resource you want to access as Microsoft Graph.
Please remove it when you refresh your access token. Just put api://{client-id}/access_as_user openid profile offline_access as the scope.
I try to get the list of the datasets for a particular tenant, using:
https://api.powerbi.com/v1.0/myorg/datasets
I get then a 403 error, it seems that my access code is not suitable for this call.
I could get an access_code successfully but I assume that it has the wrong scope since the response states:
"scope": "openid profile email User.Read"
yet I granted the correct permissions in azure:
when trying to add in the scope in the authentication call: openid offline_access DataSet.ReadWrite.All then I get an invalid_grant error
Try openid profile email https://analysis.windows.net/powerbi/api/.default as the scope.
You can find this endpoint while adding the power bi permission from Azure Portal:
I'm using the v1 Azure AD auth URLs (/common/oauth2/authorize) for a multi-tenant app that requires admin_consent.
I've attempted to add a new scope Directory.AccessAsUser.All. It is the first 'delegated' permission I'm requesting when all my other scopes are 'application' level permissions.
When I added that new delegated scope and prompted the admin to re-consent, the other scopes disappeared from the returned AccessToken and the responses scope parameter. Only Directory.AccessAsUser.All is present in the access_token scp field.
Is there any reason this behavior would occur? I'm positive that we are promoting for admin_consent and that an admin is the one consenting.
The scopes specified in the scp will depend on which OAUTH flow you used to obtain the token. You cannot have a single access_token with both Delegated and Application scopes.
Application scopes are applied when using the Client Credentials flow (client_credentials).
Delegated scopes are applied when using either Authorization Code or Implicit flows (authorization_code or implicit).
Update: I've written a more in-depth post about this topic that might help folks facing similar issues: Application vs Delegated Scopes.