Azure OpenID connect app prompts for offline access

2
votes

I've registered an application/client on https://apps.dev.microsoft.com/ requesting only the openid scope, when I try to access that application via a link like

https://login.microsoftonline.com/common/oauth2/v2.0/authorize?response_type=id_token+token&client_id=XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX&response_mode=form_post&redirect_uri=http://localhost:8765/test/response&scope=openid&state=123abc

One of the prompts on the authorization screen is "Access your data anytime" according to https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-v2-scopes#offlineaccess that prompt should only be shown when requesting offline_access. What can I do to have it not prompt for "Access your data anytime"?

These are permissions requested in the app registration portal enter image description here

1
azureazure-active-directoryopenid-connect
It seems you are using implicit flow. And that must not get a refresh token so "access your data anytime" should not present in consent. Can you try putting a space insted of a '+' in response type as this response_type=id_token tokenKavindu Dodanduwa
So @KavinduDodanduwa, if I read you correct, I shouldn't be prompted for "access your data anytime"? I tried removing the plus but... it's really just a url encoded space so the difference is the samevruum
Yes that's correct. According to docs you shouldn't get the consent page for thisKavindu Dodanduwa
Hi @vruum , Did add Access your data anytime delegated permissions in the AAD application permissions?Wayne Yang
Hi @WayneYang-MSFT, no, I've added a screenshot of the requested permissions in the developer portal to my original postvruum

1 Answers

0
votes

Please note that It’s not currently possible to remove the offline_access scope from the initial consent screen when using the v2 endpoint with an AAD account. When requesting tokens the offline_access scope is still explicitly requested though.