Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Multiple scopes for different apis

See original GitHub issue

Hello,

Library

msal@1.x.x or @azure/msal@1.x.x
@azure/msal-browser@2.x.x
@azure/msal-node@1.x.x
@azure/msal-react@1.x.x
@azure/msal-angular@0.x.x
@azure/msal-angular@1.x.x
@azure/msal-angular@2.x.x
@azure/msal-angularjs@1.x.x @azure/msal-browser @2.13.0

Framework

Angular
React
Other

Description

We have migrated from 1.4.6 to 2.13.0 because we wanted to switch from implicit auth to auth code flow. I have observed that its not storing multiple access tokens for different scopes in local storage. There is only one and it returns that same access token for different scopes, which is wrong.

Error Message

MSAL Configuration

const msalConfig = { auth: { clientId: appConfig.APPLICATION_CLIENT_ID!, authority: appConfig.AUTHORITY_URL!, redirectUri: window.location.origin, }, }

// Provide configuration values here.
// For Azure B2C issues, please include your policies.

Reproduction steps

// Provide relevant code snippets here.
// For Azure B2C issues, please include your policies.

Expected behavior

Identity Provider

Azure AD
Azure B2C Basic Policy
Azure B2C Custom Policy
ADFS
Other

Browsers/Environment

Chrome
Firefox
Edge
Safari
IE
Other (Please add browser name here)

Regression

Did this behavior work before? Yes in version: 1.4.6

Security

Is this issue security related? No

Source

Internal (Microsoft)
Customer request

Issue Analytics

State:
Created 2 years ago
Reactions:4
Comments:12 (3 by maintainers)

Top GitHub Comments

3reactions

tnorlingcommented, Mar 31, 2021

Thanks for the info shared here. We’re working with the B2C service to patch or revert a change that was rolled out late last week, ASAP. If you need an immediate resolution, setting forceRefresh: true, as mentioned above, is the suggested workaround.

0reactions

tnorlingcommented, Apr 12, 2021

All, the server team has notified us that the rollback for this bug completed this afternoon. Closing, but let us know if this is still an issue and we can reopen.

The bug for this was related to a feature to allow refresh tokens to be redeemed for different access tokens. If your application needs to use more than 1 access token and you are receiving a blank access token in the server response please track issue #2315 for that feature. The bug has been fixed and the feature has begun rolling out again.

Top Results From Across the Web

OAuth Scopes Best Practices | Curity

Best practices for designing OAuth scopes in real world systems and managing them at scale. Discover how to perform API Authorization using Scopes....

Different scopes for multiple APIs - Auth0 Community

Is there any way I can use this library to retrieve a different set of scopes for different APIs that my web app...

Multiple Scope Values to oauth2 - Stack Overflow

In the google getting started with oAuth2 it works with two scope values. Here is my code : <form id="form1" method="post" ...

Working with OAuth2 scopes | Apigee Edge

Using the API, you can specify OAuth scopes for the app. App-specific scopes override the master list of scopes taken from the products...

OAuth 2.0 Scopes for Google APIs | Authorization

This document lists the OAuth 2.0 scopes that you might need to request to access Google APIs, depending on the level of access...