Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Scopes Not Returned w/ Client Credential Flow

Can I define custom scope(s) and have them returned when using the client credential flow in Azure AD?


In my experiment, I configured 2 Azure AD applications, one for a Web API and one for a client (Web API Client A). I added a scope to the Web API but when requesting the access token via the client credential flow, the scope wasn’t returned. 🤔

Also, it only allowed me to request an access token when using .default for a scope, i.e. api://web-api-client-credential-flow/.default.

scopes screenshot

web api client a api permissions

I ran across this Azure Feedback item: V2.0 Client Credentials Implement Scopes so it appears scopes aren't supported in Azure AD under the client credential flow?

What’s the point in giving my Web API Client A application permissions for that scope if they are not returned? How could the Web API know if the daemon application has that scope to perform the necessary action?

It would seem I would have to use application permissions?

like image 627
spottedmahn Avatar asked Nov 04 '19 21:11

spottedmahn


People also ask

How do you test client credentials flow?

How it works. The application authenticates with the Auth0 Authorization Server using its Client ID and Client Secret ( /oauth/token endpoint). Auth0 Authorization Server validates the Client ID and Client Secret. Auth0 Authorization Server responds with an access token.

What credentials can the OAuth 2.0 client credentials grant flow use?

The OAuth 2.0 client credentials grant flow permits a web service (confidential client) to use its own credentials, instead of impersonating a user, to authenticate when calling another web service.

Why does the client credentials grant type not use refresh tokens?

The token endpoint does not issue a refresh token as refresh tokens are not supported by the client credentials grant. The client credentials grant type is less secure than the authorization code grant type.


Video Answer


2 Answers

Yes, you have to use application permissions.

Scopes aka delegated permissions only apply when a user is involved in the login process. They allow you to act on behalf of a user.

Application permissions are sort of roles given to the application itself. They only apply when doing client credentials authentication, where no user is involved. You can define application permissions on the app via the Manifest in the app registration. These can then be assigned to the client application. When getting the token, you must use .default because you cannot change your app permissions dynamically. You always get what has been granted already. In the token the permissions will be in a roles claim.

like image 124
juunas Avatar answered Nov 27 '22 22:11

juunas


Can I define custom scope(s) and have them returned when using the client credential flow in Azure AD?

No, but you can define application permission(s) via the manifest (definitely not as nice as the UI for delegated scopes) and have them returned via the client credential flow:

manifest config screenshot

Then you can provide the client app permission:

client permission grant screenshot

Now when requesting a token with a scope of api://web-api-client-credential-flow/.default the "scopes" are returned in the roles claim. Sample JWT

jwt screenshot of roles

like image 31
spottedmahn Avatar answered Nov 27 '22 22:11

spottedmahn