MSAL for Node not using requested scopes


So I passed the email and profile scopes to the function that generates redirect URLs, and when I try it myself, I'm finding that there are always three defaults only - profile, openid, and offline_access. I don't want offline_access, and I need the email scope. What am I doing incorrectly for this to happen?

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
20,187 questions
0 comments No comments
{count} votes

2 answers

Sort by: Most helpful
  1. Shweta Mathur 29,006 Reputation points Microsoft Employee

    Hi @⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀ ,

    Thanks for reaching out.

    I understand you are trying to get the openid, profile and offline_access scopes in the access token and not able to get the email scope.

    Could you please confirm when you are saying getting three scopes - profile, openid and offline_access. Where and how you are able to check that?
    Did you tried to decode the token you are getting using and not getting email there?
    Did you tried the same request using postman and facing the same issue there as well?


    openID, profile and email are built in scopes provided by openID connect so application can request access to large amount of information about the user which is required for authentication.
    There might be chance that there is no email address associated with the Azure AD account, then even if you include the email scope you may not get any email claim back. If you are getting another profile related claims like family_name and given_name, then this might be the problem of not getting email claim.

    However, the offline_access scope is used to request for Refresh Token and is never returned as a scope because it cannot be a part of the access token. If you are getting the offline_access scope , could you check the permissions you provided while registering the application in the portal and remove the offline_access permission if granted.


    Please confirm the above, so that we can help you further.


  2. Shweta Mathur 29,006 Reputation points Microsoft Employee

    Hi @⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀

    Apologies for delay in response. I was not able to understand the question at first place and trying to repro the issue at my end.

    By default, MSAL Node will add OIDC scopes to the auth code url request. These are the scopes ( openid, profile, offline_access) which we do not need to specify explicitly.

    As you are using Authorization Grant Flow with PKCE here, This flow has two endpoints to access the token:
    Authorize Endpoint- to acquire the code
    Token Endpoint - to acquire the token

    We need to pass the scope which are required to consent for the application in both the endpoints.

    Currently, the scopes are passed only in token endpoint and not to the sign in URL where we are signing the user and getting consent prompt to consent the scopes required for the application.

    I tried to repro the scenario in my code by passing scopes in sign in URL along with acquire Token URL as below


    which appears in the redirect URL 237828-image.png

    offline_access is the default scope stored internally ,msal-node does not expose the refresh token to the end user.

    Hope this will help.
    Thanks for your time and patience throughout this issue.
    If you still facing issues, please let us know to help you further.



    Please remember to "Accept Answer" if answer helped you and complete the survey so it will help others as well.