Mathias Rönnlund
Reputation: 4827
Skip offline access permission in Microsoft OIDC authorization
I'm using this code
var app = ConfidentialClientApplicationBuilder.Create(AzureAdApplicationId)
.WithTenantId("organizations")
.WithRedirectUri(AzureAdRedirectUrl)
.WithClientSecret(AzureAdSecretKey)
.Build();
azureAdScopes = new List<string>() { "email" };
var signInRequest = app.GetAuthorizationRequestUrl(azureAdScopes);
var uri = await signInRequest.ExecuteAsync();
which produces the url
All I need is the user's username and I don't need offline access to the user's account. How can I remove them from the scope?
Upvotes: 1
Views: 485
Answers (1)
unknown
Reputation: 7483
You could request the url without offline_access, but Azure AD v2.0 OAuth2 Account Consent Page automatically lists "Access your data anytime" even though offline_access is not specified in scope. This is an issue related.
The Note shows in the document:
At this time, the offline_access ("Maintain access to data you have given it access to") and user.read ("Sign you in and read your profile") permissions are automatically included in the initial consent to an application.
Upvotes: 2
Related Questions
- Azure AD automatically added offline_access
- Requesting Azure AD permissions on-demand
- Azure AD provides refresh_token even I don't request and permissions does not have offline_access
- How work with the `offline_access` permission delegated by a user to an application?
- OAuth2 with Azure Active Directory without specifying the resource
- Introspection of token using offline_access scope in identityserver4
- OpenId Connect Only Token AAD
- How can I support offline_access scope for an MS Identity app against public MSA?
- OpenID OWIN auth and lack of user permissions
- How to authenticate the user in offline mode in Azure Active Directory?