Search code examples
azureauthenticationazure-active-directoryauthorizationazure-authentication

Token is generating with all the available scopes in AzureAD

I have below setup on Azure,

  1. Host APP
    • Added 3 Scopes under "Expose an API" tab i.e. abc, def, ghi
  2. Client APP
    • Added all 3 Scopes under "API Permissions" tab

Now if I request the token from Postman for Client APP with specific scope(s) and I decode the token over JWT.IO then I all 3 scopes available in "scp" claim.

POSTMAN Setup for OAuth 2.0,

enter image description here

My expectation here is to implement scope based authorization where If I request the token for abc scope then only ABC should present in token.

Solution

  • Please check these:

    1. AFAIK ,At this point of time, azure ad access token consists of all the granted delegated permissions for the requested resource, granted on behalf of the signed-in user.

    2. If you have added the permissions under API permissions blade of the app and granted admin consent, you will get those permissions in the token even if you do not explicitly specify within your token request. Please remove the permissions from there if not required and just keep the scopes under Expose an API blade only if not required to grant directly.

    3. And the only other reason they may not be present is, if the scopes are not included in conditional access .Even if any one scope is requested that includes in conditional access, the rest scopes are directed to consent permissions and are present in the scope .

    4. Please check this Archive for What's new in Azure Active Directory? | Microsoft Docs regarding Unrequested but consented permissions will no longer be added to tokens if they would trigger Conditional Access

      For better understanding please check this SO ref - Is it possible to request only a subset of the scopes for which a user has granted consent in Azure AD OAuth2 implicit flow? In that as said by @Philippe ,see different cases where example is given when an app has already granted User.Read, Mail.Read, and Files.Read.All, and the customer has a conditional access policy requiring multi-factor authentication when accessing mail (but not when accessing files), and the user has not already performed MFA

    See microsoft identity platform scopes, permissions, & consent section example 1 , ex2 & client-credentials-grant-flow-and-default says ( Issuing a client credentials request by using individual application permissions (roles) is not supported. All the app roles (application permissions) that have been granted for that web API are included in the returned access token.

    References:

    1. Microsoft Azure AD JWT Token is missing Scope information - Microsoft Q&A
    2. Microsoft identity platform scopes, permissions, & consent - Microsoft identity platform | Microsoft Docs