microsoft-identity-web: [Question] RequiredScope doesn't work (for web APIs called by daemon apps)

Which version of Microsoft Identity Web are you using?

1.21.1

Where is the issue?

  • Web API
    • Protected web APIs (validating scopes)

Is this a new or an existing app?

This is a new app or an experiment.

Repro

[Route("api/[controller]")]
    [ApiController]
    [Authorize]
    public class SomeController : ControllerBase
    {
        [RequiredScope("myScopeName")]
        public async Task CreateSomething()
        {
              return Task.CompletedTask();
        }
    }

Expected behavior

Request finished with 403 code when pass scope myScopeNameM2M.

Actual behavior

Request finishes with 200 code

Additional context / logs / screenshots / link to code

HttpContext.VerifyUserHasAnyAcceptedScope("myScopeName");

Works as expected.

About this issue

  • Original URL
  • State: closed
  • Created 3 years ago
  • Comments: 17

Most upvoted comments

RequiredScope used to work as expected in this issue until version 1.17.0 of Microsoft.Identityt.Web. It got broken in 1.18.0. See these issues: https://github.com/AzureAD/microsoft-identity-web/issues/1609 https://github.com/AzureAD/microsoft-identity-web/issues/1002.

In my case adding builder.Services.AddRequiredScopeAuthorization() statement to Program.cs made the RequiredScope attribute work.

+3
gurry on Mar 16, 2022
Read more comments on GitHub
← microsoft-identity-web: [Question] How to handle the MsalUiRequiredException for incremental consent with AJAX calls
microsoft-identity-web: Redeem authCode failing with error in v2.5.0 →