Hello,

We are working on setting up our VC-API Implementation to use OAuth2 security. Our security provider (Azure AD) requires scope to be passed in addition to audience. Has anyone encounter a similar requirement where scope need to be passed to authenticate?
In the VC Implementation code. https://github.com/w3c-ccg/vc-api-test-suite-implementations/blob/main/lib/oauth2.js. We see scopes as an option, but that does not work for Azure AD. Our proposed changes would be to update this code to look for scope in addition to scopes.

Thoughts?

The mesur.io implementation requires scope as well, you may be able to format your config following our example.

@msporny regarding 'scopes' vs 'scope' in the body of the oauth token request, iirc, op is correct that it should be the latter.

Thanks, I look through the mesur.io implementation and they are passing scopes to their issuers and verifiers . We need to pass scope to OAuth2 provider.

@tsnyder-gs1us Yes, we specify scope in the "issuers" and "verifiers" configuration sections. These scopes are passed through to the token request endpoint when getting new auth tokens for those purposes - the problem here as you pointed out is that the code was using scopes instead of scope in the request body for the token. I've proposed a PR to fix.

Assigning @aljones15 to fix this issue in the test suite code. We'll let you know when we have a new version with the fix deployed @tsnyder-gs1us and @brownoxford.