I have a REST API hosted in Azure App Services that defines custom scopes for restricting access to specific operations in the API to certain groups of users. When accessing the Azure's OpenID Connect Metadata discovery endpoint however, I can't seen to find a way to see my custom scopes for the API (or any API consumer registered in Azure). How do I make it so that my custom scopes show up in the discovery endpoint metadata?
This is the endpoint I'm using:
Obviously, this version of the endpoint concerns the whole tenant, so it makes sense that it would not have visibility about specific API's scopes in there.
However, when using this variation, which specifies the ClientID, I'd expect the data on the payload to concern that specific application:
This turns out not to be the case: all scopes shown in this endpoint are also the standard ones that AAD always returns for everything else:
"scopes_supported": [
"openid",
"profile",
"email",
"offline_access"
],
I'd expect one or both of the following to happen:
Without my custom scopes being present, it is currently impossible to leave it to a client to pick the scopes when using OpenIDConnect connection type, since the application cannot know which scopes to request to AAD after the initial call, which was one of the main points regarding the metadata endpoint from what I understood.
I asked this question in the Microsoft.Identity.Web repository and got a reply back from a Microsoft Identity PM that states exposing custom scopes in the metadata endpoint is currently not supported by design.
More information here:
I'll stop using the discovery endpoint in my scenario since it becomes useless if the scopes in it don't match my API scopes.