Skip to content

Update DeviceCodeRequest/UsernamePasswordRequest to utilize OAuth2Value.ReservedScopes rather than individual constants #5426

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

Update DeviceCodeRequest/UsernamePasswordRequest to utilize OAuth2Value.ReservedScopes rather than individual constants #5426

wants to merge 1 commit into from

Conversation

billybooth
Copy link

Problem this proposes to address
The OAuth2Value.ReservedScopes collection is not used by DeviceCodeRequest and UsernamePasswordRequest, even though those requests utilize the same reserved scopes.

Changes proposed in this request

  • Bring DeviceCodeRequest and UsernamePasswordRequest into somewhat better alignment with TokenClient.GetDefaultScopes().
  • Allow OAuth2Value.ReservedScopes to be respected across all grant types rather than just those that use a TokenClient.

Testing
N/A. No impacts to resulting scopes.

Performance impact
N/A. No performance impact.

Documentation
N/A. No documentation changes required.

@billybooth
Align DeviceCodeRequest/UsernamePasswordRequest scopes construction w…
e253821 
…ith TokenClient/ScopeHelper

* Brings DeviceCodeRequest and UsernamePasswordRequest scopes production into somewhat better alignment with TokenClient.GetDefaultScopes().
* Allows OAuth2Value.ReservedScopes to be respected across all grant types.
@billybooth billybooth requested a review from a team as a code owner August 5, 2025 21:26
@billybooth
Copy link
Author

@billybooth please read the following Contributor License Agreement(CLA). If you agree with the CLA, please reply with the following information.

@microsoft-github-policy-service agree [company="{your company}"]

Options:

  • (default - no company specified) I have sole ownership of intellectual property rights to my Submissions and I am not making Submissions in the course of work for my employer.
@microsoft-github-policy-service agree
  • (when company given) I am making Submissions in the course of work for my employer (or my employer has intellectual property rights in my Submissions by contract or applicable law). I have permission from my employer to make Submissions and enter into this Agreement on behalf of my employer. By signing below, the defined term “You” includes me and my employer.
@microsoft-github-policy-service agree company="Microsoft"

Contributor License Agreement

@microsoft-github-policy-service agree

bgavrilMS
bgavrilMS reviewed Aug 14, 2025
View reviewed changes
src/client/Microsoft.Identity.Client/Internal/Requests/DeviceCodeRequest.cs
deviceCodeScopes.Add(OAuth2Value.ScopeProfile);
deviceCodeScopes.Add(OAuth2Value.ScopeOpenId);
var deviceCodeScopes = new HashSet<string>(AuthenticationRequestParameters.Scope);
deviceCodeScopes.UnionWith(OAuth2Value.ReservedScopes);
Copy link
Member

@bgavrilMS bgavrilMS Aug 14, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

ReservedScopes are just offlineaccess + profile + openId

https://github.com/AzureAD/microsoft-authentication-library-for-dotnet/blob/main/src/client/Microsoft.Identity.Client/OAuth2/OAuthConstants.cs#L102

What is the actual issue you are seeing? Is it perf related?

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes, there is no performance or functional difference sought here. The somewhat justifiable intent was to bring these token clients into alignment with TokenClient.GetDefaultScopes(), i.e., consistent use of UnionWith the parameterized scopes.

But full disclosure, I have a (mostly) OIDC-compatible provider that doesn't tolerate the offline_access scope in some cases and another that doesn't take profile on a token request, and this change makes makes patch maintenance more straightforward (and also allows for reflection-based patching of the reserved scopes across all grant types per-provider). Obviously I would have preferred that 6412672 had been merged.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@bgavrilMS bgavrilMS bgavrilMS left review comments

At least 2 approving reviews are required to merge this pull request.

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@billybooth @bgavrilMS