My issue was that the ProtocolMode was set to OIDC in app.module.ts
Cannot Utilize Azure B2C with MSAL Because 'Profile' Scope No Longer Defined - Update - Because 'scopes_supported' cannot be modified for custom policy
Good Morning,
I've followed the guides to hook up angular-msal to custom protocols in Azure B2C but when I try to connect to my app registration through the protocol I get the following error:
invalid_request: AADB2C90012: The scope 'openid profile offline_access' provided in request is not supported.
When I go to the app registration to add the profile permission the only ones available are 'openid' and 'offline_access' despite the fact that both the below documentation entries state that 'profile' should be available as a delegated permission:
https://learn.microsoft.com/en-us/azure/active-directory/develop/quickstart-configure-app-access-web-apis#delegated-permission-to-microsoft-graph
https://learn.microsoft.com/en-us/graph/permissions-reference#openid-permissions
Why isn't the profile scope available, or alternatively, how do I prevent msal from requesting that scope? I did not add profile to any of my scopes in settings so that's clearly being tacked on automatically. I'm using the following versions of msal:
"@auth0/angular-jwt": "5.0.2",
"@azure/msal-angular": "2.0.0",
"@azure/msal-browser": "2.14.0",
Edit - I was able to make a new app registration and when I did 'profile' showed up but I'm still receiving the same error
Edit2 - I've confirmed the authorization request sent out works if only the 'openid' scope is specified by intercepting it and modifying it before sending it out again. The most likely reason for this is because the discovery endpoint for my custom policy only specifies 'openapi' under 'scopes_supported', I've tried everything I can think of and scoured the documentation to find out how to add to this variable but have turned up empty handed. If anyone knows how to update scopes on the custom policies please please let me know
2 answers
Sort by: Most helpful
-
-
James Hamil 22,086 Reputation points Microsoft Employee
2021-06-11T20:49:54.673+00:00 Hi @Rob Sierra , authentication differs depending on the site type. Please take a look at this document. It details the different steps you need to take if you have an SPA or web application. I suspect your issue is caused from using a hybrid of different methods that don't work together. Please let me know if this helps you solve your issue or if you have any questions and I can help you further.
Best,
James