Reputation: 976
How to Obtain Custom-Scope Token When /userinfo Also Requires openid
I'm using Spring Cloud API Gateway with OAuth2 and I'm facing an issue while trying to acquire an access token for a custom scope. My OAuth2 provider is Microsoft.
I need the access token to authenticate against my custom APIs, which require a custom scope. However, I've noticed that the /userinfo endpoint also needs to be called, and it requires an openid scope.
If I include both the openid and custom scopes, the request gets denied. If I exclude the openid, the call to /userinfo fails due to "insufficient scope".
So, how can I obtain an access token for my custom-scope API without affecting the /userinfo endpoint call?
# Spring Cloud API Gateway OAuth2 client settings
spring:
security:
oauth2:
client:
registration:
my-client:
provider: microsoft
client-id: xxx
client-secret: xxx
authorization-grant-type: authorization_code
redirect-uri: http://localhost:8080/login/oauth2/code/your-client
scope: custom-scope # Can't add 'openid' here without the request failing
Upvotes: 1
Views: 224
Answers (1)
Reputation: 29218
This behavior specific to Azure AD. Your best bet is for the client to use only custom scopes. Then get user info via an API that exchanges the access token for one with rights to call the Graph API, using the On Behalf Of Flow. For more info see these resources of mine:
Upvotes: 0
Related Questions
- unsupported_grant_type error for authorization_code grant type: Spring Security OAuth2
- What are Keycloak's OAuth2 / OpenID Connect endpoints?
- What is the purpose of the implicit grant authorization type in OAuth 2?
- How to append custom request header during Authorization endpoint call in Spring Boot OpenID Connect
- How to issue access token for both userinfo endpoint and resource server call with node-oidc-provider
- What is intent of ID Token expiry time in OpenID Connect?
- How to get userinfo by jwt token in spring security oauth2 authorization server?
- In OIDC, is scope=openid not required for /token call?