Menu
MSAL behaves as though there is a hard-coded catch 22 at its API library layer that seems illogical when I use it.
string[] scopesArrayNonNullWORKS = new string[] { "email" };
string[] scopesArrayAlreadyThereInMsalCalls_FAILS = new string[] { "openid" };
string[] scopesArrayNoExtraScopesNeeded_FAILS = new string[0];
Microsoft.Identity.Client.ConfidentialClientApplication myCliApp;
myCliApp.AcquireTokenByAuthorizationCodeAsync(code, scopesArray);
MSAL has built in and hard coded these scopes on every call: openid , profile , offline_access .
This is fine and works for me. I have no need for any additional scopes.
However, I can’t use null or an empty scopes list. It is like the MSAL library layer is forcing me to ask for scopes I do not need or want. If I include email (which I don’t’ need) then the library layer is happy with a non-null Scopes parameter and everything works.
If I use the one scope I need, openid, then the library layer errors because I have included a duplicate scope openid which was already there.
This seems like a catch 22 and cyclically illogical. I can’t use the scopes I need, or, it errors because they are predefined. I can’t pass in an empty list of scopes (and use the pre-defined) or it errors. If I pass in a non-null scope that I do not want or need then it works.
I must be missing a critical conceptual detail.
I would like to use these 3 and only these 3 scopes ... openid , profile , offline_access .
An Error Example of this catch 22: MSAL always sends the scopes 'openid profile offline_access'. They cannot be suppressed as they are required for the library to function. Do not include any of these scopes in the scope parameter.
351
To acquire tokens for specific scopes of a v1. 0 application (for example the Microsoft Graph API, which is https://graph.microsoft.com), create scopes by concatenating a desired resource identifier with a desired OAuth2 permission for that resource.
If the client requests scope=https://graph.microsoft.com/.default , no consent prompt is shown, regardless of the contents of the client application's registered permissions for Microsoft Graph. The returned token contains the scopes Mail. Read and User.
For the API permissions of most of the services in Azure Portal, you can see User_Impersonation delegated permission. This is because user_impersonation permission is enough to access that particular service API on behalf of the signed user.
The question wasn't really formulated as a question, but if your question is really "is it possible to authenticate to a application which doesn't require additional scopes", then I found a workaround which is definitely a hack and may not work forever. I couldn't throw in any placeholder scopes to make the client API happy, because the server rejected them. But sending in a blank space made the API shut up and did not seem to affect the application at all.
string[] scopes = new[] {" "};
120
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
