Scope "offline_access" isn't being returned in the token response.

Vinay Ramkrishnan 1 Reputation point
2022-04-08T19:50:43.473+00:00

Hi,

I am testing an OAuth integration using the OAuth v2.0 endpoints.

In my initial request to oauth2/v2.0/authorize I am sending a request containing the following scopes:
User.Read, offline_access, Files.Read.All

And then for the second token endpoint oauth2/v2.0/token, I pass the code from the authorize step, along with grant_type as authorization_code and the redirect_uri.
The response returned contains the access_token & the refresh_token as expected, but the returned list of scopes doesn't contain offline_access. Is it a bug? or is that expected and just some misunderstanding on my part.

My returned list of scopes is as follows: 

"scope":"Files.Read.All openid User.Read profile email"

~Vinay

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,672 questions
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. AmanpreetSingh-MSFT 56,311 Reputation points
    2022-04-11T04:17:22.33+00:00

    Hi @Vinay Ramkrishnan • Thank you for reaching out.

    This is expected. The offline_access scope is used to request for Refresh Token and is never returned as a scope because it cannot be a part of the access token and cannot be used for scope-based authorizations.

    As highlighted below, even when the offline_access scope is specified in the request, it is not returned as a scope:

    191702-image.png

    -----------------------------------------------------------------------------------------------------------

    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.