Azure AD v2.0 OAuth2 Account Consent Page always lists "Access your data anytime" even though offline_access is not specified in scope
When using either OpenID Connect or OAuth2 authorization code flow, the Account Consent page always displays "Access your data anytime".
According to the documentation this should only be displayed if the offline_access scope is requested.
This current behavior is as described, due to the refresh token issuance behavior of the v1.0 endpoint. However, we’re planning to fix this to require the developer to request `offline_access` within the next 3 months. Keep an eye on our release notes and this Uservoice entry for when this is fixed.
In the interim, we’re changing the text of the offline_access scope to be more accurate and less alarming.
"we’re planning to fix this to require the developer to request `offline_access` within the next 3 months" - that window was gone 7 months ago - and asking for a simple profile read STILL causes the user to be prompted to consent for offline access (read stored data anytime) - I don't want/need refresh tokens. when will this be fixed?
Tom O'Dea commented
Any updates on this? It's been over 3 months since it was stated that you're "planning to fix this to require the developer to request `offline_access` within the next 3 months". Thank you!
Also looking for an update on this. Is there anything to do in the meantime to suppress that description?
Marek Šabo commented
is there a public tracker available for this issue? Or an ETA?
We would like to start using Azure OIDC login (company/work tenant) but frankly, this "implicit permission claim" is scaring some of our users, literally: "Allows the app to see and update your data, even when you are not currently using the app."
Thanks for the update!
This behavior only occurs when using an organizational account. You can reproduce the behavior by following the authorization requests directly from the Azure AD documentation.
E.g. on this documentation page https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-v2-protocols-oidc
The following link:
When logging in with an organizational account:
Tutorial Sample App
This app would like to:
Access your data anytime
View your basic profile
Found another user with the same issue on StackOverflow: https://stackoverflow.com/questions/51097841/azure-openid-connect-app-prompts-for-offline-access