AzureAD receives more scopes than requested - Githubissues

FusionAuth / fusionauth-issues

FusionAuth issue submission project

https://fusionauth.io

90 stars 12 forks source link

AzureAD receives more scopes than requested #2260

Open mooreds opened 1 year ago

mooreds commented 1 year ago

AzureAD receives more scopes than requested

Description

AzureAD receives more scopes than requested.

Affects versions

1.44.0

Steps to reproduce

Set up Azure AD with the OpenIdConnect Identity Provider, as documented here.
Request a scope of openid or no scope.
When you look in the Azure AD logs, you see a request for a scope of openid profile email

Expected behavior

Only the configured scopes should be requested.

Or we should document that we add additional scopes. I reviewed the code and didn't see where that happened, however.

Community guidelines

All issues filed in this repository must abide by the FusionAuth community guidelines.

Additional context

Not super clear, but it looks like AzureAD sometimes adds/modifies scopes it is presented with? See https://stackoverflow.com/questions/66049996/openid-connect-authentication-azure-ad-scopes-confusion for a related example.

Internal: https://inversoft.slack.com/archives/C03EZ5270A3/p1683672993089729

robotdan commented 1 year ago

Request a scope of openid or no scope.

When you say "request a scope", do you mean the scope provided on the request to FusionAuth? /oauth2/authorize?client_id={client_id}&scope={openid} or the scope configuration on the OIDC IdP config?

When you look in the Azure AD logs, you see a request for a scope of openid profile email

Is it possible Azure AD is defaulting this value? Can you see what FusionAuth is sending over the wire in a browser .har trace, or by enabling debug on the IdP so we can see what we are sending the Token endpoint?