-
Notifications
You must be signed in to change notification settings - Fork 2.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
acquireTokenSilent - refreshed ID tokens have incomplete scope #1779
Comments
@dluc ID Tokens do not have scopes associated with them. It sounds like you are looking for an access token. The reason your So to summarize there's two things to be aware of here:
Hope this clears things up a bit. Let me know if you have any follow up questions! |
hi @tnorling I'm looking at ID tokens (not access token), which has scopes, e.g. see the 2 HTTP requests above. The first has 4 scopes: scope=profile%20email%20openid%20User.Read The scope regulates which claims are included in the JWT token. The token received from the first HTTP request for example, includes the user email and the full name. The second requests, which is missing 2 out of 4 scopes, is missing that info, hence my question. More importantly, if you attempt the second request adding all the 4 scopes, e.g. to refresh an ID token, you will get a new ID token with all the claims like the original one. As I mentioned, it's a limitation of the code, because the service allows to do that, but I rather not have to maintain a fork to MSAL. |
summarizing, when refreshing the ID token, we would like that this request
included all the scopes configured, e.g. be
so that the ID token released by AAD had the extra user information (email address and full name) |
@dluc Gotcha. To my knowledge, this is not a scenario we have considered before. We are currently working on updating the token Until those PRs are merged and we put out a new release there are 2 things you could try:
|
thanks @tnorling, will try that out! looking forward to see the updates merged :-) |
This issue has not seen activity in 14 days. It may be closed if it remains stale. |
Hello, We have this same requirement where we need to refresh the ID token and also get the email claim included. Glad to see you already have this fixed and it looks like it will be available in version 1.4. Any idea when that might get released? |
@scotteby We don't have a specific date yet, we're currently working on putting out 1.3.4 and we're hoping to get 1.4.0 out shortly thereafter. I will update here when it is available. |
This issue has not seen activity in 14 days. It may be closed if it remains stale. |
My app uses 4 scopes [
profile
,email
,openid
,User.Read
] when retrieving an ID token and everything works fine, e.g. the initial ID token includes the "email" claim.When the ID token expires, the app uses
UserAgentApplication.acquireTokenSilent
to fetch a new token, but ID token received is missing theemail
claim and other info related toUser.Read
scope. As stated in the code "To renew idToken, please pass clientId as the only scope in the Authentication Parameters", the app is passing only the clientId in the scopes array.The library is configured to use session storage, but I've experienced the same issue with localstorage.
After forking the repo and modifying a file (see below), I managed to fix this problem, so it appears to be an issue in the library. I'm looking for suggestions so that I don't have to maintain a fork of the lib.
Looking at the http requests, this is the first request, which uses the 4 scopes configured in my app, and it gets and ID token with all the claims as expected:
This is the request used by MSAL to refresh the ID token, via
acquireTokenSilent
, and it has only 2 scopes (openid
andprofile
):UserAgentApplication.acquireTokenSilent
accepts auserRequest
parameter, which hasscopes
andextraScopesToConsent
parameters, but no matter how these params are set, custom scopes are ignored, and the request tologin.microsoftonline.com
includes only 2 scopes (openid
andprofile
), which are hardcoded inUrlUtils.translateclientIdUsedInScope
microsoft-authentication-library-for-js/lib/msal-core/src/utils/UrlUtils.ts
Line 85 in b3a7636
RequestUtils.validateRequest
is also designed to ignoreextraScopesToConsent
in this scenario, and the library causes an infinite loop ifscopes
contains anything other that the client id.As mentioned, this is not a problem with AAD. After modifying
UrlUtils.translateclientIdUsedInScope
to include my custom scopes, I managed to get the refreshed ID tokens with all the information I needed, i.e. the same claims of the initial ID token.Call stack when renewing ID tokens, leading to 2 scopes only, regardless of the initial params
clientId
as documented)clientId
)serverAuthenticationRequest
which contains a copy of the scopes inrequest
)The text was updated successfully, but these errors were encountered: