microsoft-authentication-library-for-js: offline_access is incorrectly always added to scopes
Update (2023-01-19):
Since this issue was closed as won't fix, we’ve decided to port all our user management over to https://authress.io/, it supported everything we needed and doesn’t require non-standard OAuth configuration and poor user experience.
Core Library: MSAL.js v2 (@azure/msal-browser) Core Library Version: 2.14.1
Wrapper Library: Not Applicable
Wrapper Library Version: 2.0.0
Description: The offline_access scope is always being added even when it isn’t necessary, and it cannot be removed.
Error Message: No response
Msal Logs: No response
MSAL Configuration:
{}
Relevant Code Snippets:
const loginRequest = {
scopes: ['profile', 'email', 'openid']
};
const result = await myMSALObj.acquireTokenPopup(loginRequest);
Reproduction Steps:
Run the code: lookup at the requested scopes
Expected Behavior: When scopes is specified they are used and NOT added to.
Identity Provider: Azure AD / MSA
Browsers Affected (Select all that apply): Chrome, Firefox, Edge, Safari, Internet Explorer
Regression: No response
Source: External (Customer)
About this issue
- Original URL
- State: closed
- Created 3 years ago
- Reactions: 5
- Comments: 27 (4 by maintainers)
Of course, users don’t want to approve access to offline when there is no reason. Our users are telling us, they don’t want to approve apps, if we ask for email or offline access. We don’t need those scopes, so we should be able to remove them, but the library prevents that.
Additionally it is just good security practice:
principle of least privilege. This is common best security practice, which basically says: do not request more data or access than you absolutely need. And with OAuth, if we choose later to actually need that access we can ask the user for additional scopes.It’s hard to fathom why an auth server require
offline_accessto keep the user logged in to an SPA. Please go back and validate this, if so that’s a huge concern, we expect that silent-auth would use a azure domain HttpOnly/SameSite=Strict cookie or PostMessage to a secure iframe to continue the session and generate a new access token, and not use a “refresh token” to generate a new access token.offline_accessand refresh tokens are just that offline access. They exist so that “our” services can impersonate the user when they are not logged in. Even the log in message in the pop up says this. They are NOT for SPAs.Yes it is a scope, no it is a
defaultscope. That parts wrong. There are lots of scopes, and it is for the app developer to decide what scopes they want, not this library. The API works without the scopes, the library needs to be fixed.Additionally, correct, the
offline_accessscope is required for refresh tokens. We don’t need refresh token, ergo we don’t need this scope.@wparad We will probably add some APIs to skip default scopes, please be on the lookout for PRs.
Just want to link this issue which is mine as well as this issue.
If one wants to control the session time of in a B2C tenant (according to the multiple sources as seen in the first linked issue) the
offline_accessscope has to be omitted.Just closing the issue won’t solve the problem folks.
This is super frustrating… It’s not about sign-in frequency.
In my case, I need to use the xbox specific scopes instead of the default ones. When I set the scopes to
XboxLive.signin Xboxlive.offline_accessit instead prompts my users to approve these ones on the consent screen:XboxLive.signin Xboxlive.offline_access offline_access openid profileThis gives my users the impression that I’m requesting much more information about their account than I need. They’re absolutely right to be warry and now I have to find a way to implement the auth flows without this otherwise helpful library. 😦
Or you know use any of the other providers where this works correctly:
Or one of the hundreds of others that get this correct!
The offline_access scope will not be removed from the defaults. If you want to control sign-in frequency to make sign more frequent for your users, please look into enabling Conditional Access and Sign-in Frequency.
Refresh tokens for SPAs have a 24 hour lifetime. We currently do not have plans to remove the defaults, however, we will look into providing a way to turn off the defaults for those that don’t want them, though this work has not yet been scheduled. Please do be aware that not using the refresh token may result in more frequent interactive sign-ins, especially in browsers that block 3rd party cookies.
Is this is issue planned or on a roadmap? Having a 30 day refresh token in browser storage is insecure and would force us to use another library if this is not fixed soon.
Good to know that AzureAD is another one of those repos that cares more about closing tickets than solving issues.