It appears that the app is using the v1.0 endpoint for the implicit grant:
|
public const string RoleSettingsAadPropertyName = "IdentitySource"; |
|
public const string RoleSettingsAadPropertyValue = "Azure"; |
|
|
|
private const string TokenEndpointPattern = "https://login.microsoftonline.com/{0}/oauth2/token"; |
|
private const string LogoutEndpointPattern = |
|
"https://login.microsoftonline.com/{0}/oauth2/logout?post_logout_redirect_uri={1}"; |
|
private const string AuthorizationEndpointPattern = "https://login.microsoftonline.com/{0}/oauth2/authorize"; |
|
private const string GraphEndpointPattern = "https://graph.windows.net/{0}"; |
|
|
|
private static readonly ILog Logger = LoggerSource.Instance.GetLogger(typeof(AzureClient)); |
|
private GraphClient _graphClient; |
|
private GraphClient GraphClient |
When building the query params, scope is defined:
|
new QueryParameter("scope", Scope), |
|
new QueryParameter("client_id", APIKey), |
|
new QueryParameter("redirect_uri", HttpContext.Current.Server.UrlEncode(CallbackUri.ToString())), |
|
new QueryParameter("state", HttpContext.Current.Server.UrlEncode(new State() { |
|
PortalId = Settings.PortalID, |
|
Culture = PortalSettings.Current.CultureCode |
|
}.ToString())), |
|
new QueryParameter("response_type", "code"), |
|
new QueryParameter("response_mode", "query"), |
However, according to the microsoft docs for the v1 endpoint, scope is ignored, and you should instead use resource. Without the resource on the v1 endpoint, you are going to get the default graph JWT tokens, not the ones defined in the app manifest.