My app authenticates users in via Microsoft accounts: both personal and business (Azure AD) accounts are accepted. The authentication is performed via the .NET AspNetCore.Authentication.OpenIdConnect middleware. Both OIDC scopes and some MS Graph related scopes are requested. The returned access and refresh tokens are stored for offline use.
Overtime, due to various reasons, some of the effective scopes in their stored access tokens may no longer be in sync with what we actually need. We need a way to verify/audit the effective scopes a user's access token contains.
For Azure AD (business) users, the access token returned by the Microsoft Identity Platform is a JWT token. It includes a scp claim that lists the exact effective scopes of the token, which we can easily verify.
But I found that with personal Microsoft accounts (outlook.com, live.com etc), the access token is not JWT and cannot be decoded.
Is there a way to check such tokens against the Microsoft IDP or Graph API, similar to Google IDP's TokenInfo endpoint?
If not, is there a way to capture the scopes in the middleware level? Since we use the code flow, the middleware controller only gets the claims from the id_token which does not include scopes related claims, so I do not believe this possible.
Any help would be greatly appreciated.
