MSAL for Node not using requested scopes

Question

MSAL for Node not using requested scopes

⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀ 1

So I passed the email and profile scopes to the function that generates redirect URLs, and when I try it myself, I'm finding that there are always three defaults only - profile, openid, and offline_access. I don't want offline_access, and I need the email scope. What am I doing incorrectly for this to happen?

Answer 1

Shweta Mathur 12,991 Microsoft Employee

Hi @⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀ ,

Thanks for reaching out.

I understand you are trying to get the openid, profile and offline_access scopes in the access token and not able to get the email scope.

Could you please confirm when you are saying getting three scopes - profile, openid and offline_access. Where and how you are able to check that?
Did you tried to decode the token you are getting using jwt.ms and not getting email there?
Did you tried the same request using postman and facing the same issue there as well?

openID, profile and email are built in scopes provided by openID connect so application can request access to large amount of information about the user which is required for authentication.
There might be chance that there is no email address associated with the Azure AD account, then even if you include the email scope you may not get any email claim back. If you are getting another profile related claims like family_name and given_name, then this might be the problem of not getting email claim.

However, the offline_access scope is used to request for Refresh Token and is never returned as a scope because it cannot be a part of the access token. If you are getting the offline_access scope , could you check the permissions you provided while registering the application in the portal and remove the offline_access permission if granted.

Please confirm the above, so that we can help you further.

Thanks,
Shweta

⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀ 1 Reputation point

2022-09-02T00:29:16.96+00:00

Nope, nothing anywhere near as complex as that. The redirect URL just doesn't have the scopes: scope=openid%20profile%20offline_access
Additionally, this is confirmed on the consent screen.
Shweta Mathur 12,991 Reputation points Microsoft Employee

2022-09-02T06:41:57.29+00:00

Hi @ 27563537, Redirect URI is the URL where the authorization server sends the user once the app has been successfully authorized and granted an authorization code or access token.
Redirect URI doesn't return the scopes requested in the request. However, you can decode the requested scopes in ID token or access token using jwt.ms as mentioned above.

The consent prompt is designed to ensure users have enough information to trust the application to access resources (in this case, user profile) on their behalf. This screen contains the permissions (openid and profile to access user's information) being requested by the client application. Users should always evaluate the types of permissions which will be authorized to access on their behalf if they accept.

offline_access scope is used to request for Refresh Token and is never returned as a scope because it cannot be a part of the access token.

Thanks,
Shweta
⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀ 1 Reputation point

2022-09-02T07:50:07.707+00:00

Ah. I meant the URL that my app redirects to - the one that then redirects to the consent screen. It is my understanding that if the correct scopes do not appear in that URL or on the consent screen, I will not get those scopes when the user redirects to my app, and similarly, the app will get scopes that appear on the consent screen.
My issue is that when getting a URL from MSAL to send the user to, it doesn't use the scopes I set but rather a default three (openid, profile, and offline_access).
⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀ 1 Reputation point

2022-09-05T09:55:49.847+00:00

Hey, are there any updates on what I wrote above? I've been waiting for three days now and i've already explained the issue.
Shweta Mathur 12,991 Reputation points Microsoft Employee

2022-09-05T10:43:12.947+00:00

Hi @ 27563537,

Apologies for delay in response. Due to weekend, I was not available. I am trying to repro the issue to understand the root cause.
Will revert you on this.

Thanks,
Shweta

Answer 2

Shweta Mathur 12,991 Microsoft Employee

Hi @⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀

Apologies for delay in response. I was not able to understand the question at first place and trying to repro the issue at my end.

By default, MSAL Node will add OIDC scopes to the auth code url request. These are the scopes ( openid, profile, offline_access) which we do not need to specify explicitly.

As you are using Authorization Grant Flow with PKCE here, This flow has two endpoints to access the token:
Authorize Endpoint- to acquire the code
Token Endpoint - to acquire the token

We need to pass the scope which are required to consent for the application in both the endpoints.

Currently, the scopes are passed only in token endpoint and not to the sign in URL where we are signing the user and getting consent prompt to consent the scopes required for the application.

I tried to repro the scenario in my code by passing scopes in sign in URL along with acquire Token URL as below

which appears in the redirect URL

offline_access is the default scope stored internally ,msal-node does not expose the refresh token to the end user.

Hope this will help.
Thanks for your time and patience throughout this issue.
If you still facing issues, please let us know to help you further.

Thanks,
Shweta

--------------------------

Please remember to "Accept Answer" if answer helped you and complete the survey so it will help others as well.

Shweta Mathur 12,991 Reputation points Microsoft Employee

2022-09-06T09:17:29.457+00:00

Hi @⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀ ,

Just wanted to check did you tried the above solution?

Thanks,
Shweta
⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀ 1 Reputation point

2022-09-08T14:30:54.677+00:00

Hey!
The issue here is that despite putting those scopes in the code, I didn't get them back in the URL (see the first screenshot at the top of this post to understand what I mean by this). Even though I include the scopes I need, I don't get email back as one in the redirect URL.
Also, to clarify, does this mean I won't get the refresh token even with the offline_access scope? I don't need to keep access to the user's account after they sign in, as that uses its own separate token system.
Shweta Mathur 12,991 Reputation points Microsoft Employee

2022-09-09T10:29:31.183+00:00

Let me put in other way here. As mentioned in your first screenshot, the scopes you passed is the second flow of authorization grant flow to get the access token using /token endpoint.

I am suggesting you need to pass scopes in the first flow of authorization grant flow /authorize endpoint where user is requesting the authorize code by signing with the credentials.

The screenshot I posted in my recent answer is to add the scopes in both the functions (/authorize and /token endpoint) which only allows to see the scopes defined in sign in function to the redirect URL which comes while passing the sign into the application.

If you still have doubts, we can connect offline to help you further.

Thanks,
Shweta
Shweta Mathur 12,991 Reputation points Microsoft Employee

2022-09-12T09:44:22.64+00:00

Hi @⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀ ,

Did you get a chance to update the scopes values in another function as well which is calling signin endpoint ?

Thanks,
Shweta
⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀ 1 Reputation point

2022-09-14T18:50:12.753+00:00

Hey,
I've extracted the code in the quickstart into a separate function if this is what you mean. However, I'm still only getting the same three scopes, not what I request.

MSAL for Node not using requested scopes

2 answers

Activity