jmprieur
commented
1 week ago You can totally do that:
- To create your own scopes, just create a web API which app ID URI ands scopes are like you want (you will need to have a verified domain): https://learn.microsoft.com/entra/identity-platform/quickstart-configure-app-expose-web-apis
Also if you want to augment claims, see https://learn.microsoft.com/en-us/entra/identity-platform/custom-extension-tokenissuancestart-configuration?tabs=azure-portal%2Cworkforce-tenant
marcotielen
I'm rather frustrated that the OpenID implementation of Azure doesn't support custom scopes. OpenID is supported in multiple technologies these days, but without custom scopes the use cases are severely limited.
As an example, I'm using OpenID through a standard implementation on a load balancer. This makes it easy to implement and reduces development efforts. Which is great, because the less effort security takes, the more people will implement best practices.
Describe the solution you'd like Ability to add custom scopes to OpenID, similar to Auth0 as described in the below link: https://auth0.com/docs/get-started/apis/scopes/sample-use-cases-scopes-and-claims#authenticate-a-user-and-request-standard-claims-and-custom-api-access
GET https://login.microsoftonline.com/{tenant}/oauth2/v2.0/authorize? client_id=00001111-aaaa-2222-bbbb-3333cccc4444 &response_type=id_token &redirect_uri=http%3A%2F%2Flocalhost%2Fmyapp%2F &response_mode=form_post &scope=openid, https://customscope.com/00003333-bbbb-1111-cccc-1111vvvv7777 &state=12345 &nonce=678910
Describe alternatives you've considered Not using OpenID, which is generally available and supported.
Additional context Please vote if you like this feature to be implemented!