Hi @⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀ ,
Thanks for reaching out.
I understand you are trying to get the openid, profile and offline_access scopes in the access token and not able to get the email scope.
Could you please confirm when you are saying getting three scopes - profile, openid and offline_access. Where and how you are able to check that?
Did you tried to decode the token you are getting using jwt.ms and not getting email there?
Did you tried the same request using postman and facing the same issue there as well?
openID, profile and email are built in scopes provided by openID connect so application can request access to large amount of information about the user which is required for authentication.
There might be chance that there is no email address associated with the Azure AD account, then even if you include the email scope you may not get any email claim back. If you are getting another profile related claims like family_name and given_name, then this might be the problem of not getting email claim.
However, the offline_access scope is used to request for Refresh Token and is never returned as a scope because it cannot be a part of the access token. If you are getting the offline_access scope , could you check the permissions you provided while registering the application in the portal and remove the offline_access permission if granted.
Please confirm the above, so that we can help you further.
Hi @ 27563537, Redirect URI is the URL where the authorization server sends the user once the app has been successfully authorized and granted an authorization code or access token.
Redirect URI doesn't return the scopes requested in the request. However, you can decode the requested scopes in ID token or access token using jwt.ms as mentioned above.
The consent prompt is designed to ensure users have enough information to trust the application to access resources (in this case, user profile) on their behalf. This screen contains the permissions (openid and profile to access user's information) being requested by the client application. Users should always evaluate the types of permissions which will be authorized to access on their behalf if they accept.
offline_access scope is used to request for Refresh Token and is never returned as a scope because it cannot be a part of the access token.
Ah. I meant the URL that my app redirects to - the one that then redirects to the consent screen. It is my understanding that if the correct scopes do not appear in that URL or on the consent screen, I will not get those scopes when the user redirects to my app, and similarly, the app will get scopes that appear on the consent screen.
My issue is that when getting a URL from MSAL to send the user to, it doesn't use the scopes I set but rather a default three (
Hey, are there any updates on what I wrote above? I've been waiting for three days now and i've already explained the issue.
Hi @ 27563537,
Apologies for delay in response. Due to weekend, I was not available. I am trying to repro the issue to understand the root cause.
Will revert you on this.
Sign in to comment