Open nohns opened 1 year ago
Hi @tekkamanendless - you don't need to request for offline_access
. All MSAL libraries will add this scope, along with profile
and openid
to the token request. They are required for token caching.
offline_access
is a special scope that tells the token issuer to give back a refresh token, which MSAL handles internally, via AcquireTokenSilent
method.
Let me know if this doesn't work for you.
I will leave this open as a supportability issue - we should improve the error message here.
This doesn't work with AcquireTokenByDeviceCode
-- if I leave off offline_access
, I only get an Access Token back, and if I add it, I get the error about offline_access
being declined. I don't want my users to have to log in every time, and I don't want to go through the hassle of standing up an ephemeral http server to handle callbacks to do the Auth Code flow.
This is on go1.23.2
and MSAL for Go 1.2.2
btw
Which version of MSAL Go are you using? Microsoft Authentication Library for Go 1.0.0
Where is the issue?
Is this a new or an existing app? The app is in production and I have upgraded to a new version of Microsoft Authentication Library for Go.
What version of Go are you using (
go version
)?What operating system and processor architecture are you using (
go env
)?go env
OutputRepro
package main
import ( "context" "fmt" "log" "net/http"
)
// Azure AD app const ( clientID = "" clientSecret = "" tenantID = "" redirectURI = "http://localhost:8080/callback" )
var scopes = []string{"https://outlook.office.com/IMAP.AccessAsUser.All", "offline_access"}
func main() { // Initialize Microsoft confidential client msCred, err := confidential.NewCredFromSecret(clientSecret) if err != nil { log.Fatalf("could not create microsoft cred: %v", err) } app, err := confidential.New(fmt.Sprintf("https://login.microsoftonline.com/%s", tenantID), clientID, msCred) if err != nil { log.Fatalf("could not create microsoft confidential client: %v", err) }
}
Expected behavior Expected for token request not to fail because of "offline_access" not being returned (as it SHOULD NOT be per the OAuth2 spec). This is also stated as the expected behavior in this post made by a Microsoft Official on the Q&A site: https://learn.microsoft.com/en-us/answers/questions/806413/scope-offline-access-isnt-being-returned-in-the-to
Actual behavior An error is thrown from MSAL when calling
app.AcquireTokenByAuthCode()
:2023/05/07 13:15:59 could not exchange code for token: token response failed because declined scopes are present: offline_access
Possible solution Add a special case for scopes, which is not expected to be returned as granted, instead of failing the flow. Eg. the "offline_access" scope.
Additional context / logs / screenshots Here is link to a repo for reproduction of the issue: https://github.com/nohns/msal-go-offline-access-reproduced