question

surbhinijhara avatar image
1 Vote"
surbhinijhara asked PinkeshDashrathbhaiPatel-9050 commented

Issues with Scopes assignment in Azure AD

Hi,

There are 2 issues seen while issuing token from Azure AD OAuth2.0 as below:


Following apps are registered in AD:

Product-A with Scopes: product:A:view, product:A:edit

Product-B with Scopes: product:B:view, product:B:edit


Issue 1: All scopes from a single app gets included in the token, even if the request is for one scope only.

Suppose, Client app is added with both Product-A scope product:A:edit and product:A:view .

If a token is requested with product:A:view scope, the token response contains all the scopes from the Product-A, i.e. both product:A:view and product:A:edit scopes are assigned to the token.

Basically, scope is not acting as a filter.


Issue 2: Scope included only from one app, even if the request is for multiple scopes from different apps.

Suppose, Client app is added with both Product-A scope product:A:edit and Product-B scope product:B:view

If a token is requested with both product:A:edit and product:B:view, the issued token contains the scope of only one app (app-id whose scope appears first on the scope parameter of token endpoint api) for e.g. only product:A:edit is assigned to the token.


Are these known issues or is something missing in the configuration. Any help is appreciated?

azure-ad-authentication
· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

@surbhinijhara I just wanted to follow up if below Answers helped. Please "Accept the answer" wherever the information provided helps you. This will help others in the community as well.


0 Votes 0 ·
amanpreetsingh-msft avatar image
0 Votes"
amanpreetsingh-msft answered PinkeshDashrathbhaiPatel-9050 commented

Hi @SN-7656 If you have added the permissions under API permissions blade of the app and granted admin consent, you will get those permissions in the token even if you do not explicitly specify within your token request. Please remove the permissions from there and just keep the scopes under Expose an API blade only.




Please do not forget to "Accept the answer" wherever the information provided helps you. This will help others in the community as well.


· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

@amanpreetsingh-msft


It didn't work for me. I removed scopes from API Permissions of Client APP yet I see all scopes in generated token.

Can you please suggest here as we are looking to implement scope based authorization for our APIs with ClientAPP and HostAPP setup where our HostAPP has 3 scopes under Exposed An API. How to generate the token using ClientAPP where only requested scopes returned in generated token.

@surbhinijhara @pratikpawar-3687






0 Votes 0 ·
amanpreetsingh-msft avatar image
0 Votes"
amanpreetsingh-msft answered surbhinijhara commented

Hi @SN-7656 Please find below the answer to your question:


Issue 1:


You can refer to below call. In this case, I have requested a token with both "read" and "list" scopes. However, if I remove read scope from the request body, I am getting only the list scope in the token.


10413-untitled.png


Issue 2:


This is expected. In a token request you can only include scopes from one application at a time. To include scopes from a different application, you would need to make a separate call. If you include scopes from different applications in same call, it fails with error: AADSTS28000: Provided value for the input parameter scope is not valid because it contains more than one resource.




Please do not forget to "Accept the answer" wherever the information provided helps you. This will help others in the community as well.



untitled.png (18.3 KiB)
· 4
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

@amanpreetsingh-msft : For the 1st issue, I have registered both Read and Write scope in my app and while generating token I am giving Read scope only. However, the token is generated with both the registered scopes i.e. Read and Write. Please find below screenshots for the same



10375-tokenrequest.jpg



0 Votes 0 ·
tokenrequest.jpg (303.0 KiB)

Attaching Token Request call scrrenshot10329-tokenendpointrequest-updated.jpg


0 Votes 0 ·

@amanpreetsingh-msft - @pratikpawar-3687 is from my team at work. He has verified that Issue 1 does not work yet at our end. Could you please take a look and let us know if we are missing something at our end.
Thanks,
Surbhi



0 Votes 0 ·

@amanpreetsingh-msft , if possible, help us here.


0 Votes 0 ·
surbhinijhara avatar image
0 Votes"
surbhinijhara answered

@amanpreetsingh-msft , Thanks much for responding.


Expose an API works technically but, by design, does not seem to be the right way for a using Client App.


An App can be registered as follows:
1)To represent an API or a resource app, which exposes the protected API. This is done by Exposing API as described in Register app to represent an API - Step 7 and 8.
2)To represent a Client App, which adds the required APIs or resource apps. This is done using API permissions as described in Register app to represent Client App # Grant Permissions - Step 3 and 4


A user is aware of its client app and using client id/secret, the user requests for a token to access one of the protected APIs.


If we go by the way you suggested, this will mean to configure apps in one of the below ways:
a. A client app will need to expose all the APIs by adding scopes explicitly. I do not see the purpose of registering apps to represent APIs in this case
OR
b. Represent each app which is supposed to represent an API, as a client app. Then only the token request can use the client id. However, it should not be this way.


Both ways are not correct by design.


Again as per documentation, the permissions should be added to the client app using API permissions (and not through Expose an API). If all permissions are assigned in the token even if a single permission is requested, then this seems to be wrong.


Do you agree on my understanding? Will appreciate your thoughts as a reply here.







5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

amanpreetsingh-msft avatar image
0 Votes"
amanpreetsingh-msft answered amanpreetsingh-msft commented

@surbhinijhara API Permissions needs to be added if the scopes are exposed in one app and you are trying to add those scopes to another app. If you are requesting token for same app with scopes exposed, you don't need to use API permissions. Scopes represents permissions and used for authorization by the federated application, as long as you are getting required scopes in the token, you should be good.




Please do not forget to "Accept the answer" wherever the information provided helps you. This will help others in the community as well.


· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

@amanpreetsingh-msft
Thank you for your response.
Now, while creating an oauth2 instance in APIM, it is asking for client id and secret. If we are not creating the client app and do not add other registered app server scopes in it. Then will we need to create an ouath2 instance in apim for each registered app?


Please find attached a screenshot of apim oauth2 instance for your reference.


Thanks,
Pratik Pawar


10613-apim-oauth2-intance.png




0 Votes 0 ·

Hi @pratikpawar-3687 Yes, if you want to use scopes which are not added to this application either via API Permission or Expose an API blade, you would need to add the other application as well where those scopes are added.

1 Vote 1 ·