Open mooreds opened 1 year ago
Request a scope of openid or no scope.
When you say "request a scope", do you mean the scope
provided on the request to FusionAuth? /oauth2/authorize?client_id={client_id}&scope={openid}
or the scope configuration on the OIDC IdP config?
When you look in the Azure AD logs, you see a request for a scope of openid profile email
Is it possible Azure AD is defaulting this value? Can you see what FusionAuth is sending over the wire in a browser .har
trace, or by enabling debug
on the IdP so we can see what we are sending the Token endpoint?
AzureAD receives more scopes than requested
Description
AzureAD receives more scopes than requested.
Affects versions
1.44.0
Steps to reproduce
openid
or no scope.openid profile email
Expected behavior
Only the configured scopes should be requested.
Or we should document that we add additional scopes. I reviewed the code and didn't see where that happened, however.
Community guidelines
All issues filed in this repository must abide by the FusionAuth community guidelines.
Additional context
Not super clear, but it looks like AzureAD sometimes adds/modifies scopes it is presented with? See https://stackoverflow.com/questions/66049996/openid-connect-authentication-azure-ad-scopes-confusion for a related example.
Internal: https://inversoft.slack.com/archives/C03EZ5270A3/p1683672993089729