question

VinayRamkrishnan-9531 avatar image
0 Votes"
VinayRamkrishnan-9531 asked amanpreetsingh-msft edited

Scope "offline_access" isn't being returned in the token response.

Hi,

I am testing an OAuth integration using the OAuth v2.0 endpoints.

In my initial request to oauth2/v2.0/authorize I am sending a request containing the following scopes:
User.Read, offline_access, Files.Read.All

And then for the second token endpoint oauth2/v2.0/token, I pass the code from the authorize step, along with grant_type as authorization_code and the redirect_uri.
The response returned contains the access_token & the refresh_token as expected, but the returned list of scopes doesn't contain offline_access. Is it a bug? or is that expected and just some misunderstanding on my part.

My returned list of scopes is as follows:

 "scope":"Files.Read.All openid User.Read profile email"

~Vinay


azure-ad-authentication
5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

1 Answer

amanpreetsingh-msft avatar image
0 Votes"
amanpreetsingh-msft answered amanpreetsingh-msft edited

Hi @VinayRamkrishnan-9531 • Thank you for reaching out.

This is expected. The offline_access scope is used to request for Refresh Token and is never returned as a scope because it cannot be a part of the access token and cannot be used for scope-based authorizations.

As highlighted below, even when the offline_access scope is specified in the request, it is not returned as a scope:

191702-image.png

Please "Accept the answer" if the information helped you. This will help us and others in the community as well.


image.png (31.0 KiB)
· 3
5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

amanpreetsingh-msft avatar image amanpreetsingh-msft ·

Hi @VinayRamkrishnan-9531 • Just following up if you have any further questions.

0 Votes 0 ·
VinayRamkrishnan-9531 avatar image VinayRamkrishnan-9531 ·

thanks for the response!

I guess that makes sense . The reason its confusing is that --I do see offline_access being returned when I use the v1 endpoints:
https://login.microsoftonline.com/common/oauth2/authorize
https://login.microsoftonline.com/common/oauth2/token

Is that just a bug or is this a change that was implemented in v2

Appreciate your responses here,

~Vinay

0 Votes 0 ·
amanpreetsingh-msft avatar image amanpreetsingh-msft VinayRamkrishnan-9531 ·

@VinayRamkrishnan-9531 • I've never seen offline_access being returned as a scope. I tested with the v1 (common) endpoint as well but didn't get it as a scope, as highlighted below. Can you share a screenshot of the request you made to the v1 endpoint and offline_access as a scope in the response?

200564-image.png

0 Votes 0 ·
image.png (69.8 KiB)