azure-ad consent experience

testuser7 271 Reputation points
2022-02-16T12:03:49.103+00:00

I have an observation about Azure-AD Consent experience.

When my client-app prepares OAuth request and sends it on /authorize endpoint to collect the temp-code as shown below

https://login.microsoftonline.com/5abbc4c8-c6a0-4211-b75f-7392037vv3/oauth2/v2.0/authorize?client_id=068ab326-1bf7-4993-9dc8-21c4e2254479&scope=**https://graph.microsoft.com/openid**&redirect_uri=https://jwt.ms&response_type=code

I realized that Azure-AD NEVER takes user's consent when the scope is made up of only openid, email or profile
I also noticed that no entry is created in Service-Principal --> oauth2PermissionGrants

Can somebody help me understand what is the logic and rationale behind it ??

Thanks

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
21,376 questions
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. Shweta Mathur 29,741 Reputation points Microsoft Employee
    2022-02-16T17:49:42.71+00:00

    Hi @testuser7 ,

    Thanks for reaching out.

    I understand that you are trying to understand the unique behaviour of “openid” scope from other scope values.

    OpenIDConnect is the top layer of OAuth for authentication. So, when we are using OIDC (scope=openid in authentication request), it will return IDToken which contains user’s information.

    The scope parameter must have "openid" as a mandatory scope and it will return a sub claim which represents a unique identifier for the authenticated user.

    175073-picture1.png

    Along with openID, profile and email are built in scopes provided by openID connect so application can request access to large amount of information about the user which is required for authentication.

    Profile request access to default user’s claims (name, profile, picture) which can be used with openid scope and any other scope.
    email request access to email only if an email address is associated with the user account.

    There is no consent required either from user or admin for “openid” as it is mandatory scope to obtain user’s information based on the user’s credentials passed.

    As there are no permissions granted by user or admin to the application for “openid” scope, there is no permissions reflected for the service principal as well in Enterprise applications.

    On the other hand, when you provide other scope values(mail.read, user.write) which allows your application to get consent for multiple resources, then user consent or admin consent is needed for authorization purpose and same will be reflected for Service Principal’s permissions.

    Reference Doc: openid-connect-scopes

    Hope this will help to clarify your query.

    Thanks,
    Shweta

    ------------------------------------------------------

    Please remember to "Accept Answer" if answer helped you.

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.