scopes not working in microsoft graph API

Question

. 。 Answers to this question are eligible for a +100 reputation bounty. Divyesh Jesadiya wants to to this question. 这个问题。

In my Laravel app, I am using https://github.com/dcblogdev/laravel-microsoft-graph package to Log in with M365. It was working fine till I changed the scopes in config/msgraph.php file. The default file is

<?PHP

return [

    /*
    * the clientId is set from the Microsoft portal to identify the application
    * https://apps.dev.microsoft.com
    */
    'clientId' => env('MSGRAPH_CLIENT_ID'),

    /*
    * set the application secret
    */

    'clientSecret' => env('MSGRAPH_SECRET_ID'),

    /*
    * Set the url to trigger the oauth process this url should call return MsGraph::connect();
    */
    'redirectUri' => env('MSGRAPH_OAUTH_URL'),

    /*
    * set the url to be redirected to once the token has been saved
    */

    'msgraphLandingUri'  => env('MSGRAPH_LANDING_URL'),

    /*
    set the tenant authorize URL
    */

    'tenantUrlAuthorize' => env('MSGRAPH_TENANT_AUTHORIZE'),

    /*
    set the tenant token URL
    */
    'tenantUrlAccessToken' => env('MSGRAPH_TENANT_TOKEN'),

    /*
    set the authorize URL
    */
    'urlAuthorize' => 'https://login.microsoftonline.com/'.env('MSGRAPH_TENANT_ID', 'common').'/oauth2/v2.0/authorize',

    /*
    set the token URL
    */
    'urlAccessToken' => 'https://login.microsoftonline.com/'.env('MSGRAPH_TENANT_ID', 'common').'/oauth2/v2.0/token',

    /*
    set the scopes to be used, Microsoft Graph API will accept up to 20 scopes
    */

    'scopes' => 'offline_access openid calendars.readwrite contacts.readwrite files.readwrite mail.readwrite mail.send tasks.readwrite mailboxsettings.readwrite user.readwrite',

    /*
    The default timezone is set to Europe/London this option allows you to set your prefered timetime
    */
    'preferTimezone' => env('MSGRAPH_PREFER_TIMEZONE', 'outlook.timezone="Europe/London"'),

    /*
    set the database connection
    */
    'dbConnection' => env('MSGRAPH_DB_CONNECTION', 'mysql'),
];

Where I have changed the scopes to

'scopes' => 'AuditLog.Read.All DeviceManagementConfiguration.Read.All DeviceManagementConfiguration.ReadWrite.All Directory.Read.All Directory.ReadWrite.All IdentityRiskyUser.Read.All Policy.Read.All RoleAssignmentSchedule.Read.Directory RoleAssignmentSchedule.ReadWrite.Directory RoleManagement.ReadWrite.Directory RoleManagement.Read.Directory RoleManagement.Read.All SecurityEvents.Read.All SecurityEvents.ReadWrite.All User.Read.All User.ReadWrite.All Exchange.ManageAsApp',

After changing the scopes, when I enter the proper mail and password it remains on the login page itself, not going forward.

Answer 1

I think you have to add openid scope.

'scopes' => 'openid AuditLog.Read.All DeviceManagementConfiguration.Read.All DeviceManagementConfiguration.ReadWrite.All Directory.Read.All Directory.ReadWrite.All IdentityRiskyUser.Read.All Policy.Read.All RoleAssignmentSchedule.Read.Directory RoleAssignmentSchedule.ReadWrite.Directory RoleManagement.ReadWrite.Directory RoleManagement.Read.Directory RoleManagement.Read.All SecurityEvents.Read.All SecurityEvents.ReadWrite.All User.Read.All User.ReadWrite.All Exchange.ManageAsApp',

openid represents the sign-in permission. The openid scope can be used at the Microsoft identity platform token endpoint to acquire ID tokens. The app can use these tokens for authentication.

You also removed the offline_access scope. It's up to whether you add or not this scope but with the offline_access scope, your app can receive refresh tokens.