Scope of token request

[kylebridgford]

It appears that the app is using the v1.0 endpoint for the implicit grant:

dnn.azureadprovider/DotNetNuke.Authentication.Azure/Components/AzureClient.cs

Lines 61 to 72 in de81718

	public const string RoleSettingsAadPropertyName = "IdentitySource";
	public const string RoleSettingsAadPropertyValue = "Azure";
	private const string TokenEndpointPattern = "https://login.microsoftonline.com/{0}/oauth2/token";
	private const string LogoutEndpointPattern =
	"https://login.microsoftonline.com/{0}/oauth2/logout?post_logout_redirect_uri={1}";
	private const string AuthorizationEndpointPattern = "https://login.microsoftonline.com/{0}/oauth2/authorize";
	private const string GraphEndpointPattern = "https://graph.windows.net/{0}";
	private static readonly ILog Logger = LoggerSource.Instance.GetLogger(typeof(AzureClient));
	private GraphClient _graphClient;
	private GraphClient GraphClient

When building the query params, scope is defined:

dnn.azureadprovider/DotNetNuke.Authentication.Azure/Components/AzureClient.cs

Lines 613 to 621 in de81718

	new QueryParameter("scope", Scope),
	new QueryParameter("client_id", APIKey),
	new QueryParameter("redirect_uri", HttpContext.Current.Server.UrlEncode(CallbackUri.ToString())),
	new QueryParameter("state", HttpContext.Current.Server.UrlEncode(new State() {
	PortalId = Settings.PortalID,
	Culture = PortalSettings.Current.CultureCode
	}.ToString())),
	new QueryParameter("response_type", "code"),
	new QueryParameter("response_mode", "query"),

However, according to the microsoft docs for the v1 endpoint, scope is ignored, and you should instead use resource. Without the resource on the v1 endpoint, you are going to get the default graph JWT tokens, not the ones defined in the app manifest.