I am using the @azure/msal-browser library v3.9.0.
I am attempting to follow the MSAL docs guide for granting consent to multiple api resource scopes during the Login Redirect workflow:
In my loginRequest object, I am adding scopes of 'openid profile offline_access', I am also adding in the extraScopesToConsent property with two api scopes.
Once the loginRedirect code fires, I am getting an error output from the library code:
ServerError: invalid_request: AADB2C90146: The scope 'api://myCustomApiClientId/My.Scope.A api://myCustomApiClientId/My.Scope.B openid profile offline_access' provided in request specifies more than one resource for an access token, which is not supported. Correlation ID: 999999999-9999-9999-9999-94e80a59414d Timestamp: 2024-02-12 17:28:15Z
(In my samples below I have obscured the clientId, and scopes etc as this is for demonstration of the bug purposes)
My login request looks like this:
const loginRequest: RedirectRequest = {
scopes: ['openid profile offline_access'],
loginHint: '[email protected]',
domainHint: 'gmail.com',
extraScopesToConsent: [
'api://myCustomApiClientId/My.Scope.A',
'api://myCustomApiClientId/My.Scope.B'
],
redirectStartPage: redirectUrl.toString()
...
// Start the "prompted" login workflow
this._publicClientApplicationApi.loginRedirect(loginRequest);
When I look at the network request, I am seeing in the network tab the resulting call to the "authorize" endpoint:
https://my.b2ctest.com/login.onmicrosoft.com/b2c_1a_v1_signup_signin/oauth2/v2.0/authorize?client_id=9999999-9999-9999-9999-99999999999&scope=api%3A%2F%2FmyCustomApiClientId%2FMy.Scope.A%20pi%3A%2F%2FmyCustomApiClientId%2FMy.Scope.B%20openid%20profile%20offline_access&redirect_uri=http%3A%2F%2Flocalhost%3A4500&client-request-id=99999999-acf4-9999-bacb-0731639072d3&response_mode=fragment&response_type=code&x-client-SKU=msal.js.browser&x-client-VER=3.9.0&client_info=1&code_challenge=9999999ZnpUskJ3FM52gWfepapm0xZWY12U9999Tkqw&code_challenge_method=S256&domain_hint=gmail.com&login_hint=myemail%40gmail.com&X-AnchorMailbox=UPN%3Amyemail%40gmail.com&nonce=018d9e94-acf7-7cf6-b9e1-956c2b758fe2&state=eyJpZCI9999xOGQ5ZTk0LWFjZjYt9999MS1iOTJiLTI3YTk9999kNzJkOSIsIm1ldGEiOnsiaW50ZXJhY3Rpb25UeXBlIjoicmVkaXJlY3QifX0%3D
What I am noticing in this network request to the authorize endpoint is that the "scopes" and "extraScopesToConsent" properties are being combined into a single "scope" query parameter. This seems incorrect as these are 2 separate properties. I have then traced into the code and, in fact, have seen where these 2 properties are being combined. Here are the MSAL files of note:
Here on line 502, you can see that the RedirectRequest is combining the scopes and extraScopesToConsent into a single array and calling addScopes().
Here in the RequestParameterBuilder.addScopes() line 88, we can see that the scopes are converted into a single parameter. The extraScopesToConsent are just scopes at this point. There is no longer any way to differentiate the two original RedirectRequest properties.
Here is the Parameter Keys, notice that there is not an extraScopesToConsent parameter available
I am thinking this may be a bug. Once the scopes are combined, it is throwing an error as it thinks I am requesting accessTokens for multiple scopes. At this point all I want is to consent to the extraScopes and I plan to request accessTokens during the acquireTokenSilent() workflow. Can you please let me know if there is a way during the loginRedirect to pass the extraScopesToConsent as a separate parameter so that they are only consented to and not attempted to retrieve an accessToken? The way it currently is working seems like the extraScopesToConsent is not working properly.
Thanks!