Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

SCP is missing in access token claims

See original GitHub issue

Unable to get SCP=“access_as_user” in access token claims. I want an access token of OAuth v2.0 that returns SCP=“access_as_user” in the claims.

Library

@azure/msal-angular: ^1.0.0-beta.2
msal: ^1.2.2-beta.0

Description

I am trying to get SCP claim from the access token using msal-angular 1.0.0 beta version in my SPA application. Please refer below steps:

Define MsalModule.forRoot({}), with all the information and consentScopes as ‘api://xxxxxxx-xxxxxxx-xxxxxxxx-xxxxxxxx/access_as_user’. (exposed in Azure portal for API app)
Call this.authService.loginRedirect() method to get id_token.
In the success callback of login redirect, I called below method to get access token this.authService.acquireTokenSilent(accessTokenRequest);

But ‘acquireTokenSilent’ doesn’t return OAuth 2.0 token rather it return either same id_token or v1.0 access token, which is not useful for me to get SCP in the claims

Thanks

Issue Analytics

State:
Created 4 years ago
Comments:14 (4 by maintainers)

Top GitHub Comments

1reaction

sameeragcommented, Feb 18, 2020

@vaibhav915 Your token depends on the scopes requested/permitted for your app and the authority that grants the token to those scopes. access_as_user used to be a default scope provided by the app portal registration experience but the new UI requires one to explicitly add this as a supported scope now.

From what I gather, the request above does not request this scope explicitly and hence you do not see it in the token. Can you please add it in the scopes part of the request and verify? I tested this and it works in a sample app for me.

Also we recommend not to open access_tokens in your application as a good practice.

0reactions

jwar-gilsoncommented, Jun 18, 2020

@jasonnutter I was able to get the correct access token after login. On the broadcast call msal:loginSuccess, I put in the following code below. I verified the token on jwt.ms and I am seeing the scp > access_as_user and was able to verify the token on the API.

https://docs.microsoft.com/en-us/azure/active-directory/develop/scenario-protected-web-api-verification-scope-app-roles#verify-scopes-in-apis-called-on-behalf-of-users

CLIENT

      const tokenRequest = {
        scopes: [environment.resources.api.resourceScope]
      };

      this.authService.acquireTokenSilent(tokenRequest);

I am now running into an issue with VerifyUserHasAnyAcceptedScope not finding the scp but after dropping the method into my code and making some modifications, I was able to verify the scope. This is another issue I need to figure out 😄

API

private void VerifyUserHasAnyAcceptedScope(params string[] acceptedScopes)
        {
            if (acceptedScopes == null)
            {
                throw new ArgumentNullException(nameof(acceptedScopes));
            }
            var context = HttpContext;
            Claim scopeClaim = context?.User?.FindFirst("scp");
            if (scopeClaim == null || !scopeClaim.Value.Split(' ').Intersect(acceptedScopes).Any())
            {
                context.Response.StatusCode = (int)HttpStatusCode.Unauthorized;
                string message = $"The 'scope' claim does not contain scopes '{string.Join(",", acceptedScopes)}' or was not found";
                throw new HttpRequestException(message);
            }
        }