Why without Consent AzureAD Application Refresh Token gets delivered

Copper Contributor

Trying to get an access_token and refresh_token in. For this I am doing an oauth2 call with help of

https://login.microsoftonline.com/{{ Tenant-ID }}/oauth2/v2.0/authorize?......

and where the response_type is code. With help of the CODE the next request will be the TOKEN call

https://login.microsoftonline.com/{{ Tenant-ID }}/oauth2/v2.0/token

with the scope:

--data-urlencode 'scope=https://graph.microsoft.com/user.read offline_access'


Now when I only allow the Consent "User.Read" to be allowed and I put the Scope "offline_access" inside the URL-request I am getting anyway the Refresh_Token delivered, even though it should not be allowed as the "offline_access" API permission is NOT configured/allowed in Azure Porta / Application.


But nevertheless getting:

"token_type": "Bearer",
"scope": "profile openid email https://graph.microsoft.com/User.Read",
"expires_in": 4428,
"ext_expires_in": 4428,
"access_token": "eyJ0eXAiOiJKV1QiLCJu..............",
"refresh_token": "0.AUcAuGA_3_QwX0CgVgAhyncAz5epG.................."

From what I have read is, that we need to add and approve the consent for that ("offline_access). Any idea why that is getting anyway delivered in the response? Thanks.

0 Replies