AADSTS65001 with default scopes 'wl.basic', 'wl.signin'

[jahrsensetence]

Today I started seeing the following message when asking for the access token:

{"error":"invalid_grant","error_description":"AADSTS65001: The user or administrator has not consented to use the application with ID 'xxxxxx-7069-49e9xx' named 'xxxxxCRM'. Send an interactive authorization request for this user and resource. Trace ID: 416xxxxxxxxxa932-7846f1a42100 Correlation ID: 1e7xxxxx8ce8f02 Timestamp: 2025-01-23 22:36:25Z","error_codes":[65001],"timestamp":"2025-01-23 22:36:25Z","trace_id":"41xxxx100","correlation_id":"1e714xxxxe8f02","suberror":"consent_required"}

Turns out, the library has a default scope which is presented to MS when asking for the refresh token: 'wl.basic', 'wl.signin'

After removing this by having an empty defaultScope, everything works again:

        $provider = new Microsoft([
            // Required
            'clientId' => $this->aadOAuth2ClientId,
            'clientSecret' => $this->aadOAuth2Secret,
            'redirectUri' => $url,
            // Optional
            'urlAuthorize' => 'https://login.microsoftonline.com/' . $this->aadTenantId . '/oauth2/v2.0/authorize',
            'urlAccessToken' => 'https://login.microsoftonline.com/' . $this->aadTenantId . '/oauth2/v2.0/token',
            'urlResourceOwnerDetails' => 'https://outlook.office.com/api/v1.0/me',
            'defaultScopes' => [],
        ]);

[decomplexity]

It always surprises me that scope permissions such as wl.basic and wl.signin continued to be accepted by MSFT's auth servers since they were, I believe, scope permissions for Windows Live Mail that was discontinued at least ten years ago.