You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
{{ message }}
This repository has been archived by the owner on May 16, 2023. It is now read-only.
Adding a new scope in the modify permissions UI only adds a single scope to the OAuth request. This appeared to be fixed with #165. I seem to be mistaken.
Actual behavior
We are now seeing many OAuth scopes being sent when only one is selected. This includes the default scopes which require admin consent. This shouldn't happen.
It almost seems like user consent is disabled as a new default. This includes demo tenants.
Steps to reproduce the behavior
Login to GE with a non-admin account.
Open the modify permissions UI.
Add a user consentable scope and select modify.
Get redirected to a request for admin consent.
HTTP traffic capture
GET /common/oauth2/v2.0/authorize?nonce=graph_explorer&prompt=select_account&client_id=de8bc8b5-d9f9-48b1-a8ad-b748da725064&response_type=token&redirect_uri=https%3A%2F%2Fdeveloper.microsoft.com%2Fen-us%2Fgraph%2Fgraph-explorer&state=%7B%22client_id%22%3A%22de8bc8b5-d9f9-48b1-a8ad-b748da725064%22%2C%22network%22%3A%22msft%22%2C%22display%22%3A%22page%22%2C%22callback%22%3A%22_hellojs_4eh1jgbe%22%2C%22state%22%3A%22%22%2C%22redirect_uri%22%3A%22https%3A%2F%2Fdeveloper.microsoft.com%2Fen-us%2Fgraph%2Fgraph-explorer%22%7D&scope=Calendars.Read%20Calendars.ReadWrite%20Contacts.ReadWrite%20DeviceManagementApps.Read.All%20DeviceManagementApps.ReadWrite.All%20DeviceManagementConfiguration.Read.All%20DeviceManagementConfiguration.ReadWrite.All%20DeviceManagementManagedDevices.PrivilegedOperations.All%20DeviceManagementManagedDevices.Read.All%20DeviceManagementManagedDevices.ReadWrite.All%20DeviceManagementRBAC.Read.All%20DeviceManagementRBAC.ReadWrite.All%20DeviceManagementServiceConfig.Read.All%20DeviceManagementServiceConfig.ReadWrite.All%20Directory.AccessAsUser.All%20Directory.ReadWrite.All%20Files.ReadWrite.All%20Group.ReadWrite.All%20IdentityRiskEvent.Read.All%20Mail.ReadWrite%20MailboxSettings.ReadWrite%20Notes.ReadWrite.All%20Notifications.ReadWrite.CreatedByApp%20openid%20People.Read%20Reports.Read.All%20Sites.ReadWrite.All%20Tasks.ReadWrite%20User.ReadBasic.All%20User.ReadWrite%20User.ReadWrite.All
The text was updated successfully, but these errors were encountered:
We suspect that there was a v2 auth API change at the end of September that caused this mismatch between expected and actual. Even if the client correctly does incremental consent, we are seeing strange token behavior where the token comes back with just the incremented scope, not all the scopes. This is true for some accounts.
Expected behavior
Adding a new scope in the modify permissions UI only adds a single scope to the OAuth request. This appeared to be fixed with #165. I seem to be mistaken.
Actual behavior
We are now seeing many OAuth scopes being sent when only one is selected. This includes the default scopes which require admin consent. This shouldn't happen.
It almost seems like user consent is disabled as a new default. This includes demo tenants.
Steps to reproduce the behavior
HTTP traffic capture
GET /common/oauth2/v2.0/authorize?nonce=graph_explorer&prompt=select_account&client_id=de8bc8b5-d9f9-48b1-a8ad-b748da725064&response_type=token&redirect_uri=https%3A%2F%2Fdeveloper.microsoft.com%2Fen-us%2Fgraph%2Fgraph-explorer&state=%7B%22client_id%22%3A%22de8bc8b5-d9f9-48b1-a8ad-b748da725064%22%2C%22network%22%3A%22msft%22%2C%22display%22%3A%22page%22%2C%22callback%22%3A%22_hellojs_4eh1jgbe%22%2C%22state%22%3A%22%22%2C%22redirect_uri%22%3A%22https%3A%2F%2Fdeveloper.microsoft.com%2Fen-us%2Fgraph%2Fgraph-explorer%22%7D&scope=Calendars.Read%20Calendars.ReadWrite%20Contacts.ReadWrite%20DeviceManagementApps.Read.All%20DeviceManagementApps.ReadWrite.All%20DeviceManagementConfiguration.Read.All%20DeviceManagementConfiguration.ReadWrite.All%20DeviceManagementManagedDevices.PrivilegedOperations.All%20DeviceManagementManagedDevices.Read.All%20DeviceManagementManagedDevices.ReadWrite.All%20DeviceManagementRBAC.Read.All%20DeviceManagementRBAC.ReadWrite.All%20DeviceManagementServiceConfig.Read.All%20DeviceManagementServiceConfig.ReadWrite.All%20Directory.AccessAsUser.All%20Directory.ReadWrite.All%20Files.ReadWrite.All%20Group.ReadWrite.All%20IdentityRiskEvent.Read.All%20Mail.ReadWrite%20MailboxSettings.ReadWrite%20Notes.ReadWrite.All%20Notifications.ReadWrite.CreatedByApp%20openid%20People.Read%20Reports.Read.All%20Sites.ReadWrite.All%20Tasks.ReadWrite%20User.ReadBasic.All%20User.ReadWrite%20User.ReadWrite.All
The text was updated successfully, but these errors were encountered: