[Bug] When using a third-party IdP the three "reserved" scopes are fixed and cannot be omitted

[lgiuliani80]

Library version used

4.66.2

.NET version

.NET Framework 4.8 (but does not depend on the version of .NET)

Scenario

PublicClient - desktop app

Is this a new or an existing app?

This is a new app or experiment

Issue description and reproduction steps

"openid profile offline_access" are relevand and "mandatory" only if the target IdP is a Microsoft IdP (Entra, ADFS, B2C). Other IdP(s) even actually reject some of those scopes (especially when passed to the token endpoint).
The "reserved" scopes should be passed alongside the user provided ONLY if the target IdP is Microsoft one. For third party identity providers only user provided scopes should be considered.

Relevant code snippets

Expected behavior

No response

Identity provider

Other

Regression

No response

Solution and workarounds

No response

[ashok672]

I am assuming you are using embedded/system web browser? Can you share your PCA initialization code?

[rayluo]

"openid profile offline_access" are relevand and "mandatory" only if the target IdP is a Microsoft IdP (Entra, ADFS, B2C). Other IdP(s) even actually reject some of those scopes (especially when passed to the token endpoint).
The "reserved" scopes should be passed alongside the user provided ONLY if the target IdP is Microsoft one. For third party identity providers only user provided scopes should be considered.

FWIW, the proposal above implies that MSAL shall automatically detect whether an IdP is a Microsoft IdP or 3rd-party IdP. But it will not be easy because B2C/CIAM with custom domain looks no different than a 3rd-party IdP. So, a prior art is to add an optional parameter WithExcludeScopes({"offline_access", ...}) to cancel out some of the default reserved scopes. (Not saying we shall or shall not do it here; just providing this as a FYI.)

[lgiuliani80]

Actually it's the user that declares if it's using an OpenID identity provider using the .WithOIDCAuthority().

[rayluo]

Actually it's the user that declares if it's using an OpenID identity provider using the .WithOIDCAuthority().

Oh, I see what you proposed. However, at this point we can't just reduce the default scopes even when using .WithOIDCAuthority(), otherwise it would result in behavior change for existing apps.

Out of curiosity, what 3rd-party IdP do you use, and exactly which scope was rejected? Note that all three "openid", "profile" and "offline_access" were defined in Open ID Connect specs.

[lgiuliani80]

The IdP is Broadcom Siteminder v. 12.8. This IdP highlighted various other deviations to standards, but customers to use it and demand app support for it...

[ashok672]

MSAL.NET currently does not support 3rd party IDPs and its optimized for Microsoft Entra IDP.