OAuth 2.0 authorization - revoke specific scope

Question

Hi guys,

I am building my app to allow some users to access some of their data from outlook following this flow https://learn.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-auth-code-flow

• Mail
• Contacts
• Calendar

I want to let the users choose which scope he wants to let my app be authorized
For example, he may just wanna choose Mail + Contacts in that case scope would be ['Mail.Read', 'Contacts.Read']

I can add calendar scope after if the user wants, in that case I can send either ['Calendars.Read', 'Mail.Read', 'Contacts.Read'] or ['Calendars.Read']. For the last one, the microsoft api is able to remember the scope already authorized, thats why it works.

My issue comes if the user wants to remove a specific scope but still keep the others. In that case, I didnt find any solutions to perform it.

My original idea is just to send the scopes I want, but as I said previously, microsoft api always remember the previous scope. So it can only add but never revoke.

The google api let you the choice to either include granted scopes or not when dealing with scopes. (doc https://developers.google.com/identity/protocols/oauth2/web-server - include_granted_scopes)

Thanks in advance for your reply,

Alex

Answer 1

Thank you @soumi-MSFT for your reply. What you wrote it is something I already understand. But I would want to know, in the case the user just want to remove one specific scope, how he can do it ?

When generating the token, I want to tell to the oauth2 endpoint that I want to remove one specific scope added before.

Answer 2

Okay I understand. Is there is a way through the Microsoft graph api to remove a oauth2 permission grants for an app (kind of reset) and do the oauth2 flow again so I can remove all scopes first and re-add the ones I really want.

I would want to do it for a personal microsoft account

I saw this link https://learn.microsoft.com/en-us/graph/api/oauth2permissiongrant-delete?view=graph-rest-1.0&tabs=http but it seems only work for work/school account.

Or do you have any ideas how to achieve the scenario I want (enable removing specific scope) ?

Answer 3

Hello @alexabidri , thank you for reaching out. Yes, you are correct, this is termed as Additive Scopes, in which if you are using Auth_Code Grant flow, then in the request to the /authorize endpoint, you can mention separate scopes or scopes as per your need and then get them consented.

But once you call the /token endpoint to get an access-token from AAD, AAD would push all the previously consented scopes in your access token. Let's go through an example to understand this behavior better.

1. Let's say I create an app registration and I create a request for the /authorize endpoint of AAD to get a code.
2. In this request to the /authorize endpoint, let's say I specify a single scope like "Calendars.Read" and successfully consent to this scope and get the code.
3. Now I make a call to the /token endpoint of AAD and request for a token for let's say Graph API, I get the access-token for Graph API and in the scp key inside the access token, I see only Calendars.Read is listed.
4. Now I make another attempt to get another code from AAD and this time I specify the scope parameter with a value of "Files.Read" only and then successfully consent to it.
5. Next when I make a call to the /token endpoint of AAD and fetch an access-token, in its scp key, I would find Calendars.Read as well as Files.Read listed since Calendars.Read was previously consented.

So this behavior is a default behavior where all the consented permissions gets pushed to the access token.

Hope this helps.

Do let us know if this helps and if there are any more queries around this, please do let us know so that we can help you further. Also, please do not forget to accept the response as Answer; if the above response helped in answering your query.