Dynamic scope / claims for OAuth2 / OIDC flows using EntraID

Harsh Thakker 0 Reputation points
2024-10-18T15:35:56.1866667+00:00

Hi,

I'm working on an application, that needs to access an API on behalf of its users.

For this, I'm looking to implement an OAuth2 / OIDC flow, for the application to:

  1. Get a Consent from users every time it performs an operation using the API &
  2. Have an Access Tokens issued, to be able to access the API to perform these operations

Standard OAuth / OIDC flows have static scopes - however, I need the scopes to be dynamic, based on the actual operation being performed by the application against the API.

For example - if the application is changing a FileName from "A.txt" to "B.txt", I want:

  1. EntraID to display this specific "change FileName A.txt to B.txt" operation to Users on the Consent Screen, to review & approve and
  2. Include this operation as a claim within the Access Token issued to the application

I have found an extension of OAuth2 called "OAuth2 with Rich Authorization Requests" that enables this type of dynamic & fine-grained authorization. Is this flow supported by EntraID?

If not, can this be achieved using "openid" as the scope & using the "claims" parameter for the dynamic operations to be consented by the users?

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
22,161 questions
{count} votes

1 answer

Sort by: Most helpful
  1. Navya 12,405 Reputation points Microsoft Vendor
    2024-10-21T05:47:54.4666667+00:00

    Hi @Harsh Thakker

    Thank you for posting this in Microsoft Q&A.

    I understand you are looking to implement a dynamic OAuth2/OpenID Connect (OIDC) flow for your application that requires user consent for specific operations each time an API call is made. This involves displaying specific operations on the consent screen and including them as claims in the issued access token.

    Unfortunately, OAuth2 with Rich Authorization Requests flow is not supported in Microsoft Entra ID.

    I would request you to please share the feedback on our feedback channel https://feedback.azure.com/d365community/forum/22920db1-ad25-ec11-b6e6-000d3a4f0789 Which would be open for the user community to upvote & comment on. This allows our product teams to effectively prioritize your request against our existing feature backlog and gives insight into the potential impact of implementing the suggested feature.

    can this be achieved using "openid" as the scope & using the "claims" parameter for the dynamic operations to be consented by the users.

    No, you cannot achieve this using the OpenID scope. The OpenID scope operates based on the permissions specified in the application within Entra ID.

    Hope this helps. Do let us know if you any further queries.

    Thanks,

    Navya.


    If this answers your query, do click Accept Answer and Yes for was this answer helpful. And, if you have any further query do let us know.


Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.