Nondeterministic Scope Name?

[moehoward003]

Hello,

Usually when developing software, one would like to design code that is deterministic. Had two questions on this as relates to this article:

1) Wondering why the scope could be either or one for the two noted in this article, as quoted below from the article:

What is verified? The [RequiredScope] attribute and VerifyUserHasAnyAcceptedScope method, does something like the following steps:

Verify there's a claim named http://schemas.microsoft.com/identity/claims/scope or scp.

2) Why does the .NET framework (.NET 6.0 for my testing) take a JWT that has a "scp" claim for scope (when viewed in jwt.ms) but when the .NET code for populating the HttpContext.User ClaimsPrincipal, the scope is named ('scp' renamed? to): "http://schemas.microsoft.com/identity/claims/scope"

Thanks.

Document Details

⚠ Do not edit this section. It is required for learn.microsoft.com ➟ GitHub issue linking.

• ID: 14524e2e-a5c6-ef53-0643-879b63b6a9f4
• Version Independent ID: 5b3eb1d5-300e-6e03-9e3d-9abd530b7239
• Content: Verify scopes and app roles protected web API - Microsoft Entra
• Content Source: articles/active-directory/develop/scenario-protected-web-api-verification-scope-app-roles.md
• Service: active-directory
• Sub-service: develop
• GitHub Login: @cilwerner
• Microsoft Alias: cwerner

[Naveenommi-MSFT]

@moehoward003 Thanks for your feedback! We will investigate and update as appropriate.

[AjayBathini-MSFT]

Hi @moehoward003

Regarding your first question. The reason why the scope could be either or one for the two noted in the article is because the VerifyUserHasAnyAcceptedScope method verifies that the token has at least one of the accepted scopes. If the token has any of the accepted scopes, the method returns true. If the token doesn't have any of the accepted scopes, the method returns false. The method doesn't care which of the accepted scopes the token has, as long as it has at least one of them.

And for the second one. The reason why the .NET framework renames the "scp" claim to "http://schemas.microsoft.com/identity/claims/scope" is to provide a standardized claim name for the scope claim in compliance with the OpenID Connect and OAuth 2.0 specifications.

When a JWT token is received by the application, the .NET framework validates the token and creates a ClaimsPrincipal object that represents the authenticated user. The ClaimsPrincipal object contains a collection of claims, including the scope claim. However, the naming of claims can differ between identity providers and protocols, and so the framework normalizes the name of the scope claim to "http://schemas.microsoft.com/identity/claims/scope" to ensure consistency.

This normalization of claim names allows developers to write code that is more deterministic and interoperable across different identity providers and protocols. It also allows the framework to provide a standard way of accessing and validating claims in a consistent manner.

Therefore, even though the "scp" claim is used in Azure AD's implementation of OAuth 2.0, the .NET framework renames it to "http://schemas.microsoft.com/identity/claims/scope" to provide a standardized claim name for the scope claim.

if there are any further questions regarding the documentation, please tag me in your reply and we will be happy to continue the conversation.