Do not include "scope" parameter when make request to token endpoint

[odrozd]

Core Library

MSAL.js (@azure/msal-browser)

Core Library Version

3.2.0

Wrapper Library

Not Applicable

Wrapper Library Version

N/A

Public or Confidential Client?

Public

Description

I am trying to use MSAL browser library to use with internal enterprise non Azure AD Identity Provider to perform OAuth2 Code Authorization (PKCE) flow for spa application.

I have successfully configured msal PublicClientApplication with proper configuration for custom 'OIDC' compliant identity provider.

Initiating login form and authorize redirects works as expected, but there an error when trying to obtain access_token from /token endpoint since Identity Provider reject request because it contains nonstandard "scope" request body parameter.

My question is it possible to omit "scope" request body parameter when making post request to /token endpoint? From my understanding this parameter is a Microsoft extension to the authorization code flow and is optional even for Microsoft endpoint

MSAL Configuration

No response

Relevant Code Snippets

No response

Identity Provider

Other

Source

External (Customer)

[tnorling]

Scope is defined in the OAuth spec. It cannot be omitted when using MSAL.

[odrozd]

@tnorling as per OAuth spec:

section 4.1.1 - scope parameter defined as optional.

section 4.1.3 - Request body parameters for /TOKEN endpoint DOES NOT include "scope" parameter to request body parameters.

My question is not about ignoring "scope" parameter in general but have ability to NOT include it when making request to /TOKEN endpoint as per OAuth2 specification.

Forcing this parameter when calling /token endpoint making MSAL not OAuth2 compliant.

[nfour]

Just ran into this issue.

Please re-open @tnorling , as per @odrozd , this makes the library incompatible with latest versions.

Only workaround is to use https://github.com/AxaFrance/oidc-client/tree/main/packages/oidc-client at this point?