Skip offline access permission in Microsoft OIDC authorization

0
votes

I'm using this code

var app = ConfidentialClientApplicationBuilder.Create(AzureAdApplicationId)
   .WithTenantId("organizations")
   .WithRedirectUri(AzureAdRedirectUrl)
   .WithClientSecret(AzureAdSecretKey)
   .Build();

azureAdScopes = new List<string>() { "email" };

var signInRequest = app.GetAuthorizationRequestUrl(azureAdScopes);

var uri = await signInRequest.ExecuteAsync();

which produces the url

https://login.microsoftonline.com/organizations/oauth2/v2.0/authorize?scope=email+openid+profile+offline_access&...

All I need is the user's username and I don't need offline access to the user's account. How can I remove them from the scope?

1
oauth-2.0azure-active-directoryopenid-connect

1 Answers

1
votes

You could request the url without offline_access, but Azure AD v2.0 OAuth2 Account Consent Page automatically lists "Access your data anytime" even though offline_access is not specified in scope. This is an issue related.

The Note shows in the document:

At this time, the offline_access ("Maintain access to data you have given it access to") and user.read ("Sign you in and read your profile") permissions are automatically included in the initial consent to an application.