Removing earlier permissions consented by Users from scope/accesstoken for MS Team App.

Shubhi Saxena 1

Urgent help required! Thanks

I have created a bot service and connect with AAD to let user login to their Microsoft O365 Delegated permission and can change the permission in the future like the attached image

First i login the user with two scopes (scope1 & scope2) and received the accesstoken for these two permission.

https://login.microsoftonline.com/common/oauth2/v2.0/authorize?
client_id=<client_id>&response_type=code&redirect_uri=<r_url>&response_mode=query&state=<somestate>&
scope=<scope1 scope2>
&prompt=consent

Response :

{.., scope:"scope1 scope2",...}

But when i change the scope to only scope1 it is still giving me both the scope with accesstoken.

https://login.microsoftonline.com/common/oauth2/v2.0/authorize?
client_id=<client_id>&response_type=code&redirect_uri=<r_url>&response_mode=query&state=<somestate>&
scope=<scope1>
&prompt=consent

Response : {.., scope:"scope1 scope2",...}

How can i dynamically provide scope while login or how to logout the user so that previous scope will be removed and fresh scope can be provided?

soumi-MSFT 11,781 Reputation points Microsoft Employee

2020-08-27T13:42:17.567+00:00

@Shubhi Saxena , Thank you for reaching out. Can you help me with the request to the /token endpoint? I ask this information, as it all matters as what is present under the scp section of the issued Access Token.
soumi-MSFT 11,781 Reputation points Microsoft Employee

2020-08-27T15:12:55.477+00:00

@Shubhi Saxena , I was going through the RFC for the Authorization Code Grant flow and it looks like, the scope parameter is optional when you are sending the request to the /token endpoint. Now, for the /authorize endpoint, it looks like is going by the specs of loading all the consented scopes for that user when issuing the code, hence we are seeing both scope1 and scope2 listed.

Now, I am working a little more to dig deeper and might be able to share some more details by the next day.
Shubhi Saxena 1 Reputation point

2020-08-31T06:01:29.817+00:00

Thank you for your response. Do we have anything on /authorize to just load the current scope rather than all the consented scopes or modify the consented scope like in future if app is no longer using any specific permission.

1 answer

soumi-MSFT 11,781 Reputation points Microsoft Employee

2020-08-31T06:12:15.047+00:00

@Shubhi Saxena , I would like to share an update with you that on something that I recently discovered. When you make a call to the /authorize endpoint of AAD, irrespective of the fact that how may scopes you add in the request, when the code is issued by AAD, it would be adding up all the consents that have been consented until then in the code. This is termed as additive scopes. Now whatever is present in the code, the same scopes get added to the token.

I tested it out and also got some confirmation from the backend product team also on this.

Hope this helps.

Do let us know if this helps and if there are any more queries around this, please do let us know so that we can help you further. Also, please do not forget to accept the response as Answer; if the above response helped in answering your query.
Please sign in to rate this answer.
Shubhi Saxena 1 Reputation point

2020-08-31T08:58:46.913+00:00

Okay got it, and just one more thing want to confirm so there is no option / parameters to remove earlier consented scopes?

soumi-MSFT 11,781 Reputation points Microsoft Employee

2020-08-31T15:16:35.53+00:00

@Shubhi Saxena , There is, but that you would have to do on the service principal, like deleting the service principal object and recreating it. But through a request when being sent to /authorize endpoint, no there is no way to get rid of the extra scopes, as this is a by design and that's what we termed as additive scopes, as it keeps on adding all the consented scopes and adds them to your code or access token.

Hope this helps.

Do let us know if this helps and if there are any more queries around this, please do let us know so that we can help you further. Also, please do not forget to accept the response as Answer; if the above response helped in answering your query.

soumi-MSFT 11,781 Reputation points Microsoft Employee

2020-09-01T06:49:29.64+00:00

@Shubhi Saxena , Just wanted to check if the above response helped you or if there are any more queries around this so that we can help you better.

soumi-MSFT 11,781 Reputation points Microsoft Employee

2020-09-03T10:20:29.11+00:00

@Shubhi Saxena , Just wanted to check if the above response helped you or if there are any more queries around this so that we can help you better.

soumi-MSFT 11,781 Reputation points Microsoft Employee

2020-09-07T04:27:10.387+00:00

@SubhiSaxena-3765 , Just wanted to check if the above response helped you or if there are any more queries around this so that we can help you better. Also, please do not forget to accept the response as Answer; if the above response helped in answering your query.
Sign in to comment

Use comments to ask for clarification, additional information, or improvements to the question.

Share via

Removing earlier permissions consented by Users from scope/accesstoken for MS Team App.

1 answer

Your answer