Scope are not supported while getting authCodeUrl with protocol mode OIDC

Question

Scope are not supported while getting authCodeUrl with protocol mode OIDC

Anonymous

CIAM: Azure AD B2C

Library: MSAL NodeI
I am migrating from client secret to federated credential with AKS. Therefore, I have to change the default AAD protocol to OIDC.

this.client = new ConfidentialClientApplication({
            auth: {
                clientId: configuration.clientId,
                authority: this.signInSignUpAuthority,
                knownAuthorities: [`https://${authorityDomain}`],
                protocolMode: `OIDC`,
                clientAssertion: `${clientAssertionValue}`
            }
        });

Unfortunaely, it does not work while getting AuthCodeUrl. I am stuck and did not find what is the problem here.

result = await this.client.getAuthCodeUrl({
                authority: authority,
                redirectUri: this.configuration.baseRedirectUri + 'auth/' + ActionPathname.REDIRECT,
                scopes: this.configuration.scopes,
                codeChallenge: challenge,
                codeChallengeMethod: 'S256',
                state: state ?? undefined
            });

Both openid and offline_Access scopes are added to App in the App registration. Screenshot 2025-03-27 at 11.27.33

error: invalid_request

**error_description:**AADB2C90012: The scope 'openid profile offline_access' provided in request is not supported.

state: {"target":"https://localhost:3000/","appStage":0}

Goutam Pratti 6,215 Reputation points Microsoft External Staff Moderator

2025-04-14T14:23:55.5233333+00:00

Hello @Rajan ,

I Understand that you are using Azure AD B2C with MSAL Nodel Library where you are migrating from client secret to federated credential with AKS. Therefore, you had changed the default AAD protocol to OIDC. Also, I see openid and offline_Access scopes are added to App in the App registration. But you are facing error AADB2C90012: The scope 'openid profile offline_access' provided in request is not supported.

I see many of them raised a concern with the same error you are getting because the MSAL v3 version has an issue where B2C authorities aren't appended the "/v2/" path when generating the well-known/openid-configuraiton endpoint URL (effectively going to the v1 config endpoint), causing the /authorization endpoint URLs to comeback missing the /v2/ path as well.

I recommend you to as a work around if you are using V3 MSAL version downgrade to the v3 beta version or to manually configure the authorityMetadata option as shown in this Performance docs.

you can refer the issues and work around: https://github.com/AzureAD/microsoft-authentication-library-for-js/pull/6342 , https://github.com/AzureAD/microsoft-authentication-library-for-js/issues/6340

Hope this helps. If you have any additional queries let us know. Happy to assist you further.

If the issue still persists let me know we will connect offline and discuss further on this issue.
Goutam Pratti 6,215 Reputation points Microsoft External Staff Moderator

2025-04-15T10:52:51.47+00:00

Hello @Rajan ,

following upto see if the above suggestion is helpful.Let us know if you have any additional queries. Happy to assist you further.
Goutam Pratti 6,215 Reputation points Microsoft External Staff Moderator

2025-04-16T11:06:22.9266667+00:00

Hello @Rajan ,

following upto see if the above suggestion is helpful.Let us know if you have any additional queries. Happy to assist you further and discuss it offline.