Cannot put client id into scopes, therefore cannot get access_token for Azure B2C

[anch2150]

According to Azure B2C documentation, to get an access_token, client id must be added to scopes, i.e. scopes=['openid', 'offline_access', '<CLIENT_ID>'].

The OpenID Connect standard specifies several special scope values. The following scopes represent the permission to access the user's profile:

• openid - Requests an ID token.
• offline_access - Requests a refresh token using Auth Code flows.
• 00000000-0000-0000-0000-000000000000 - Using the client ID as the scope indicates that your app needs an access token that can be used against your own service or web API, represented by the same client ID.

However, _decorate_scope will replace client id with ['openid', 'profile', 'offline_access'], which does not generate access_token.

https://github.com/AzureAD/microsoft-authentication-library-for-python/blob/545e856124985da4758530ab811d2c137fa8e333/msal/application.py#L591

[rayluo]

So, did you end up seeing this exception?

What if you use scopes=['<YOUR_CLIENT_ID>'] alone?

[anch2150]

Here is my experiments:

• Use scopes=['<YOUR_CLIENT_ID>', 'offline_access']: Exception as you mentioned
• Use scopes=['<YOUR_CLIENT_ID> offline_access']: can get all three tokens, but cannot get token from cache using same scopes. It's expected as multiple scopes always fail.
• Use scopes=[] or scopes=['<YOUR_CLIENT_ID>']: cannot get access_token.
• Replace the decorator, use list((set(scopes) | {'openid', 'offline_access'}) - <EXCLUDES>): everything incl. cache works!

[rayluo]

@anch2150 , thanks again for bringing this to our attention. We worked out a PR for it. You may want to test it out, because the implementation is slightly different than the last bullet point that you mentioned above. Hope we can hear back from you within a day or two, before we proceed to merge in that PR.