Changing the scopes break everything

[andreydeineko]

SCOPES = %w(openid profile).freeze # removed https://outlook.office.com/mail.read

def get_email_from_id_token(id_token)
  token_parts   = id_token.split('.')
  leftovers     = token_parts[1].length.modulo(4)
  encoded_token = token_parts[1] += leftovers == 2 ? '==' : '='
  decoded_token = Base64.decode64(encoded_token)
  JSON.parse(decoded_token)['preferred_username']
end

def get_token_from_code(auth_code) # throws the below exception: OAuth2::Error - :
  client.auth_code.get_token(auth_code, redirect_uri: authorize_url, scope: SCOPES.join(' '))
end

OAuth2::Error - :
{"token_type":"Bearer","refresh_token":"long-refresh-token","id_token":"even-longer-id-token"}

BUT When I take the id_token and use it in

get_email_from_id_token(id_token)

it works. How do I make correct it? Why it throws an error?

[jasonjoh]

Not sure, I'd really have to see the request/response on the wire. It maybe that Azure returns an error if you have no resource scope, or it may be that the OAuth library doesn't like the response.

[jasonjoh]

Seems to be an error in the oauth2 gem. The Azure endpoint is only returning an ID token here, since the scopes you included only get you an ID token. This is correct behavior. However, it looks like the gem expects an access token. See oauth-xx/oauth2#243.

Closing this issue as it's not really in the scope of this tutorial.