Azure AD v2.0 OAuth2 Account Consent Page always lists "Access your data anytime" even though offline_access is not specified in scope
When using either OpenID Connect or OAuth2 authorization code flow, the Account Consent page always displays "Access your data anytime".
According to the documentation this should only be displayed if the offline_access scope is requested.
This current behavior is as described, due to the refresh token issuance behavior of the v1.0 endpoint. However, we’re planning to fix this to require the developer to request `offline_access` within the next 3 months. Keep an eye on our release notes and this Uservoice entry for when this is fixed.
In the interim, we’re changing the text of the offline_access scope to be more accurate and less alarming.
Thomas LEVESQUE commented
> we’re planning to fix this to require the developer to request `offline_access` within the next 3 months.
This update was posted 20 months ago, and the behavior still hasn't changed... Any update on this?
Alexander Bartosh commented
This is still not fixed.
Could you be so kind to provide an update for this ?
Our clients are considering offline access as not needed and thus the entire application as insecure.
It does not help to explain that this is how the AAD platform behaves.
This is not an improvement question.
It is a question of trust of users in the identity platform.
Is there a valid workaround for this ?
"we’re planning to fix this to require the developer to request `offline_access` within the next 3 months" - that window was gone 7 months ago - and asking for a simple profile read STILL causes the user to be prompted to consent for offline access (read stored data anytime) - I don't want/need refresh tokens. when will this be fixed?
Tom O'Dea commented
Any updates on this? It's been over 3 months since it was stated that you're "planning to fix this to require the developer to request `offline_access` within the next 3 months". Thank you!
Andrew Goldberg commented
Also looking for an update on this. Is there anything to do in the meantime to suppress that description?
Marek Šabo commented
is there a public tracker available for this issue? Or an ETA?
We would like to start using Azure OIDC login (company/work tenant) but frankly, this "implicit permission claim" is scaring some of our users, literally: "Allows the app to see and update your data, even when you are not currently using the app."
Thanks for the update!
This behavior only occurs when using an organizational account. You can reproduce the behavior by following the authorization requests directly from the Azure AD documentation.
E.g. on this documentation page https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-v2-protocols-oidc
The following link:
When logging in with an organizational account:
Tutorial Sample App
This app would like to:
Access your data anytime
View your basic profile
Found another user with the same issue on StackOverflow: https://stackoverflow.com/questions/51097841/azure-openid-connect-app-prompts-for-offline-access