fix: add User.Read scope for MS Graph /me email validation

wesm · claude · wesm · commit 9fa56a403b71 · 2026-03-23T17:50:54.000-05:00
The MS Graph /me endpoint requires User.Read scope to return profile
data. Without it, the token validation step after OAuth authorization
would fail with HTTP 403.

Co-Authored-By: Claude Opus 4.6 (1M context) &lt;noreply@anthropic.com&gt;
diff --git a/internal/microsoft/oauth.go b/internal/microsoft/oauth.go
@@ -36,6 +36,7 @@ var Scopes = []string{
 	"offline_access",
 	"openid",
 	"email",
+	"User.Read", // required for MS Graph /me to validate email
 }
 
 type TokenMismatchError struct {

Original file line number	Diff line number	Diff line change
`@@ -36,6 +36,7 @@ var Scopes = []string{`
`36`	`36`	`"offline_access",`
`37`	`37`	`"openid",`
`38`	`38`	`"email",`
	`39`	`+ "User.Read", // required for MS Graph /me to validate email`
`39`	`40`	`}`
`40`	`41`
`41`	`42`	`type TokenMismatchError struct {`