[Bug] When using a third-party IdP the three "reserved" scopes are fixed and cannot be omitted #5102
Labels
needs attention
Delete label after triage
public-client
untriaged
Do not delete. Needed for Automation
Comments
lgiuliani80
added
needs attention
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Library version used
4.66.2
.NET version
.NET Framework 4.8 (but does not depend on the version of .NET)
Scenario
PublicClient - desktop app
Is this a new or an existing app?
This is a new app or experiment
Issue description and reproduction steps
"openid profile offline_access" are relevand and "mandatory" only if the target IdP is a Microsoft IdP (Entra, ADFS, B2C). Other IdP(s) even actually reject some of those scopes (especially when passed to the token endpoint).
The "reserved" scopes should be passed alongside the user provided ONLY if the target IdP is Microsoft one. For third party identity providers only user provided scopes should be considered.
Relevant code snippets
Expected behavior
No response
Identity provider
Other
Regression
No response
Solution and workarounds
No response
The text was updated successfully, but these errors were encountered: