Nov 22 2023 12:20 PM
Trying to get an access_token and refresh_token in. For this I am doing an oauth2 call with help of
https://login.microsoftonline.com/{{ Tenant-ID }}/oauth2/v2.0/authorize?......
and where the response_type is code. With help of the CODE the next request will be the TOKEN call
https://login.microsoftonline.com/{{ Tenant-ID }}/oauth2/v2.0/token
with the scope:
--data-urlencode 'scope=https://graph.microsoft.com/user.read offline_access'
Now when I only allow the Consent "User.Read" to be allowed and I put the Scope "offline_access" inside the URL-request I am getting anyway the Refresh_Token delivered, even though it should not be allowed as the "offline_access" API permission is NOT configured/allowed in Azure Porta / Application.
But nevertheless getting:
"token_type": "Bearer", "scope": "profile openid email https://graph.microsoft.com/User.Read", "expires_in": 4428, "ext_expires_in": 4428, "access_token": "eyJ0eXAiOiJKV1QiLCJu..............", "refresh_token": "0.AUcAuGA_3_QwX0CgVgAhyncAz5epG.................." }
From what I have read is, that we need to add and approve the consent for that ("offline_access). Any idea why that is getting anyway delivered in the response? Thanks.