Azure AD OAUTH requires fully qualified scope (https://graph.microsoft.com/offline_access)

[GhimBoon]

Describe the bug
AzureAD authentication started failing from 2.0.603 when offline_access was added without the Microsoft Graph prefix.

To Reproduce
Steps to reproduce the behavior:

1. Upgrade to 2.0.603 or above
2. Login using AzureAD
3. Will encounter 502 error

Expected behavior
Login will work as expected

Screenshots
Forgot to take the screenshot

Additional context
Patched the scope to https://graph.microsoft.com/offline_access and it started working. Some production environments require fully qualified scopes to work.

[ajosegun]

Seems I have the same issue

[fcestari]

The PR #1846 actually had a different behavior to me - the refresh_token are no longer saved in the user metadata as per #1599

[GhimBoon]

Update: I'm reverting it in #1869.

My issue is actually caused by kubernetes nginx that got a 502 due to the limited proxy_buffer sizing. The offline_access refresh_tokens requires a larger buffer size that kubernetes doesn't handle by default.

Adding these to my ingress solved it:
nginx.ingress.kubernetes.io/proxy-buffer-size: "64k"
nginx.ingress.kubernetes.io/proxy-buffers: "8 64k"

[GhimBoon]

Closing this issue since this is not a bug.