Can I define custom scope(s) and have them returned when using the client credential flow in Azure AD?
In my experiment, I configured 2 Azure AD applications, one for a Web API and one for a client (Web API Client A). I added a scope to the Web API but when requesting the access token via the client credential flow, the scope wasn’t returned. 🤔
Also, it only allowed me to request an access token when using .default
for a scope, i.e. api://web-api-client-credential-flow/.default
.
I ran across this Azure Feedback item: V2.0 Client Credentials Implement Scopes so it appears scopes aren't supported in Azure AD under the client credential flow?
What’s the point in giving my Web API Client A application permissions for that scope if they are not returned? How could the Web API know if the daemon application has that scope to perform the necessary action?
It would seem I would have to use application permissions?
How it works. The application authenticates with the Auth0 Authorization Server using its Client ID and Client Secret ( /oauth/token endpoint). Auth0 Authorization Server validates the Client ID and Client Secret. Auth0 Authorization Server responds with an access token.
The OAuth 2.0 client credentials grant flow permits a web service (confidential client) to use its own credentials, instead of impersonating a user, to authenticate when calling another web service.
The token endpoint does not issue a refresh token as refresh tokens are not supported by the client credentials grant. The client credentials grant type is less secure than the authorization code grant type.
Yes, you have to use application permissions.
Scopes aka delegated permissions only apply when a user is involved in the login process. They allow you to act on behalf of a user.
Application permissions are sort of roles given to the application itself. They only apply when doing client credentials authentication, where no user is involved. You can define application permissions on the app via the Manifest in the app registration. These can then be assigned to the client application. When getting the token, you must use .default because you cannot change your app permissions dynamically. You always get what has been granted already. In the token the permissions will be in a roles claim.
Can I define custom scope(s) and have them returned when using the client credential flow in Azure AD?
No, but you can define application permission(s) via the manifest (definitely not as nice as the UI for delegated scopes) and have them returned via the client credential flow:
Then you can provide the client app permission:
Now when requesting a token with a scope of api://web-api-client-credential-flow/.default
the "scopes" are returned in the roles
claim. Sample JWT
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With