See
|
NSMutableArray *scopesLowercase = [NSMutableArray new]; |
Reported by an internal customer:
https://stackoverflow.microsoft.com/questions/108249/msal-ios-scope-parameter-sent-to-login-microsoftonline-com-as-all-lowercase
MSAL for objc is sending the scope to login.microsoftonline.com as all lowercase.
This causes issues of the AppIdURI for the api they are accessing has mixed casing. Therefore the API results in a 401 Access Denied due to audience validation.
MSAL for dotnet keeps the case sensitivity for the scopes.
According to both the Open ID Connect spec and the OAuth 2 spec, scopes are intended to be case sensitive.
https://openid.net/specs/openid-connect-core-1_0.html#ScopeClaims
"Multiple scope values MAY be used by creating a space delimited, case sensitive list of ASCII scope values."
https://tools.ietf.org/html/rfc6749#section-3.3
"The value of the scope parameter is expressed as a list of space-delimited, case-sensitive strings. The strings are defined by the authorization server. If the value contains multiple space-delimited strings, their order does not matter, and each string adds an additional access range to the requested scope."
See
microsoft-authentication-library-for-objc/MSAL/src/requests/MSALRequestParameters.m
Line 73 in b7dc31c
Reported by an internal customer:
https://stackoverflow.microsoft.com/questions/108249/msal-ios-scope-parameter-sent-to-login-microsoftonline-com-as-all-lowercase
MSAL for objc is sending the scope to login.microsoftonline.com as all lowercase.
This causes issues of the AppIdURI for the api they are accessing has mixed casing. Therefore the API results in a 401 Access Denied due to audience validation.
MSAL for dotnet keeps the case sensitivity for the scopes.
According to both the Open ID Connect spec and the OAuth 2 spec, scopes are intended to be case sensitive.
https://openid.net/specs/openid-connect-core-1_0.html#ScopeClaims
"Multiple scope values MAY be used by creating a space delimited, case sensitive list of ASCII scope values."
https://tools.ietf.org/html/rfc6749#section-3.3
"The value of the scope parameter is expressed as a list of space-delimited, case-sensitive strings. The strings are defined by the authorization server. If the value contains multiple space-delimited strings, their order does not matter, and each string adds an additional access range to the requested scope."