locked
Azure AD Client Credentials /.default RRS feed

  • Question

  • Hi,

    I'm looking to use Azure AD Client Credentials to secure server-to-server request using the v2.0 endpoints.

    However, I've noticed that the scope parameter doesn't actually take in a scope but rather the app ID reference appended with /.default which forces you down the permissions route. You end up with roles in the token instead of scp (scopes).

    It feels as though Azure AD have followed the correct OAuth URL formats for the token exchange but deviated away from the actual parameter information.

    Is there a way to pass in actual scopes that the service requires instead of the /.default?

    Monday, August 12, 2019 4:19 PM

Answers

  • Hello HeyMega,

    No there is no way to do that using Client Credentials against the v2.0 endpoint. Per the section here : https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-client-creds-grant-flow#get-a-token

    scope Required

    The value passed for the scope parameter in this request should be the resource identifier (application ID URI) of the resource you want, affixed with the .default suffix. For the Microsoft Graph example, the value is https://graph.microsoft.com/.default.
    This value tells the Microsoft identity platform endpoint that of all the direct application permissions you have configured for your app, the endpoint should issue a token for the ones associated with the resource you want to use. To learn more about the /.default scope, see the consent documentation.

    I'm sorry for the confusion if you're interested in this feature I suggest filing a request for this at :https://feedback.azure.com/forums/169401-azure-active-directory

    If there's enough community support, the product team will look into the issue and put it on the roadmap to implement.

    Please remember to mark one of the responses as answer if your question has been answered. If not please let us know if there are anymore questions. Thanks

    • Proposed as answer by Frank Hu MSFT Monday, August 12, 2019 10:42 PM
    • Marked as answer by heymega Tuesday, August 13, 2019 8:46 AM
    Monday, August 12, 2019 10:42 PM

All replies

  • Hello HeyMega,

    No there is no way to do that using Client Credentials against the v2.0 endpoint. Per the section here : https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-client-creds-grant-flow#get-a-token

    scope Required

    The value passed for the scope parameter in this request should be the resource identifier (application ID URI) of the resource you want, affixed with the .default suffix. For the Microsoft Graph example, the value is https://graph.microsoft.com/.default.
    This value tells the Microsoft identity platform endpoint that of all the direct application permissions you have configured for your app, the endpoint should issue a token for the ones associated with the resource you want to use. To learn more about the /.default scope, see the consent documentation.

    I'm sorry for the confusion if you're interested in this feature I suggest filing a request for this at :https://feedback.azure.com/forums/169401-azure-active-directory

    If there's enough community support, the product team will look into the issue and put it on the roadmap to implement.

    Please remember to mark one of the responses as answer if your question has been answered. If not please let us know if there are anymore questions. Thanks

    • Proposed as answer by Frank Hu MSFT Monday, August 12, 2019 10:42 PM
    • Marked as answer by heymega Tuesday, August 13, 2019 8:46 AM
    Monday, August 12, 2019 10:42 PM
  • Thank you for your response.

    It really feels like Microsoft's implementation here is against the OAuth specification. ".default" is fundamentally not a scope :(

    I'll raise it on feedback but I won't hold my breath.

    Tuesday, August 13, 2019 8:46 AM
  • Hey HeyMega,

    Unfortunately that is the case here, and I'm sorry that it doesn't seem to make alot of sense. All changes made are in an effort to make the APIs and Azure AD more secure. 

    I'll be sure to forward this feedback to the product team as well. Thanks for your contribution HeyMega.

    Tuesday, August 13, 2019 10:51 PM