Cannot Utilize Azure B2C with MSAL Because 'Profile' Scope No Longer Defined - Update - Because 'scopes_supported' cannot be modified for custom policy

Rob Sierra 1 Reputation point
2021-06-11T10:38:25.52+00:00

Good Morning,

I've followed the guides to hook up angular-msal to custom protocols in Azure B2C but when I try to connect to my app registration through the protocol I get the following error:

invalid_request: AADB2C90012: The scope 'openid profile offline_access' provided in request is not supported.

When I go to the app registration to add the profile permission the only ones available are 'openid' and 'offline_access' despite the fact that both the below documentation entries state that 'profile' should be available as a delegated permission:

https://learn.microsoft.com/en-us/azure/active-directory/develop/quickstart-configure-app-access-web-apis#delegated-permission-to-microsoft-graph
https://learn.microsoft.com/en-us/graph/permissions-reference#openid-permissions

Why isn't the profile scope available, or alternatively, how do I prevent msal from requesting that scope? I did not add profile to any of my scopes in settings so that's clearly being tacked on automatically. I'm using the following versions of msal: 

  "@auth0/angular-jwt": "5.0.2",  
  "@azure/msal-angular": "2.0.0",  
  "@azure/msal-browser": "2.14.0",

Edit - I was able to make a new app registration and when I did 'profile' showed up but I'm still receiving the same error

Edit2 - I've confirmed the authorization request sent out works if only the 'openid' scope is specified by intercepting it and modifying it before sending it out again. The most likely reason for this is because the discovery endpoint for my custom policy only specifies 'openapi' under 'scopes_supported', I've tried everything I can think of and scoured the documentation to find out how to add to this variable but have turned up empty handed. If anyone knows how to update scopes on the custom policies please please let me know

Microsoft Graph
Microsoft Graph
A Microsoft programmability model that exposes REST APIs and client libraries to access data on Microsoft 365 services.
10,715 questions
Microsoft Entra External ID
Microsoft Entra External ID
A modern identity solution for securing access to customer, citizen and partner-facing apps and services. It is the converged platform of Azure AD External Identities B2B and B2C. Replaces Azure Active Directory External Identities.
2,663 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,664 questions
0 comments

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Rob Sierra 1 Reputation point
    2021-06-11T15:32:06.51+00:00

    My issue was that the ProtocolMode was set to OIDC in app.module.ts

  2. James Hamil 22,086 Reputation points Microsoft Employee
    2021-06-11T20:49:54.673+00:00

    Hi @Rob Sierra , authentication differs depending on the site type. Please take a look at this document. It details the different steps you need to take if you have an SPA or web application. I suspect your issue is caused from using a hybrid of different methods that don't work together. Please let me know if this helps you solve your issue or if you have any questions and I can help you further.

    Best,
    James

    0 comments