From 5b9e824da976bade648317ce456b5f4ee4d6270f Mon Sep 17 00:00:00 2001
From: michael <michael@modernfreedom.com>
Date: Thu, 18 Dec 2025 10:50:02 -0600
Subject: [PATCH] Use OpenID scopes instead of custom API scopes
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

- Change frontend scopes from api://{client_id}/.default to
  openid, profile, email for simpler authentication
- Update backend token validation to expect ID token format:
  - Audience: client_id (not api://{client_id})
  - Issuer: v2.0 endpoint

This avoids requiring Application ID URI setup in Azure AD.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
---
 backend/app/services/auth_service.py | 6 ++++--
 frontend/services/authConfig.ts      | 6 +++---
 2 files changed, 7 insertions(+), 5 deletions(-)

diff --git a/backend/app/services/auth_service.py b/backend/app/services/auth_service.py
index b2e3d62..464ecd4 100644
--- a/backend/app/services/auth_service.py
+++ b/backend/app/services/auth_service.py
@@ -99,12 +99,14 @@ async def verify_access_token(token: str) -> Optional[dict]:
             return None
 
         # Verify and decode the token
+        # For ID tokens with OpenID scopes, audience is the client ID
+        # and issuer uses the v2.0 endpoint
         claims = jwt.decode(
             token,
             rsa_key,
             algorithms=["RS256"],
-            audience=f"api://{settings.AZURE_CLIENT_ID}",
-            issuer=f"https://sts.windows.net/{settings.AZURE_TENANT_ID}/",
+            audience=settings.AZURE_CLIENT_ID,
+            issuer=f"https://login.microsoftonline.com/{settings.AZURE_TENANT_ID}/v2.0",
         )
 
         logger.info(f"Token verified for user: {claims.get('name', 'unknown')}")
diff --git a/frontend/services/authConfig.ts b/frontend/services/authConfig.ts
index 0f2ef94..82c846e 100644
--- a/frontend/services/authConfig.ts
+++ b/frontend/services/authConfig.ts
@@ -41,12 +41,12 @@ export const msalConfig: Configuration = {
 };
 
 // Scopes for the access token
-// Using .default for single-tenant apps to get all configured API permissions
+// Using basic OpenID scopes for authentication
 export const loginRequest: PopupRequest = {
-    scopes: [`api://${import.meta.env.VITE_AZURE_CLIENT_ID || ''}/.default`],
+    scopes: ['openid', 'profile', 'email'],
 };
 
 // Scopes for API calls (same as login for this app)
 export const apiTokenRequest = {
-    scopes: [`api://${import.meta.env.VITE_AZURE_CLIENT_ID || ''}/.default`],
+    scopes: ['openid', 'profile', 'email'],
 };