New access_token in st.login doesn't allow custom scopes

Good morning everyone. I have been waiting for the newest version of streamlit (1.53.0) because I saw a few weeks ago that we would get the possibility of fetching the access_token and using it in the app via the st.user.tokens argument. This is a very nice addition and thank you for adding that.

I am trying to enable users to automatically log in using authentication via Microsoft, which allows users to have their specific roles assigned upon login based on a Microsoft Entra ID app configuration. However, I find myself a bit lost when it comes to accessing my access_token, as I would like for it to have a custom scope I set in my Microsoft Entra ID app. In my secrets.toml file, I added the following values :

I’m using streamlit login and I need an access token with my custom scope. I’m using the latest 1.53.0 version of streamlit. My secrets.toml is

[auth]
redirect_uri = "http://localhost:8501/oauth2callback"
client_id = "[REDACTED]"
cookie_secret= "xxx"
client_secret = "[REDACTED]"
server_metadata_url = "https://login.microsoftonline.com/[REDACTED]/v2.0/.well-known/openid-configuration"
client_kwargs = { "scopes" = "api://[REDACTED]/custom" }
expose_tokens = "access"

Unfortunately, the information I need does not appear in the JWT token I’m able to retrieve so I was wondering if I’m doing something wrong. I am not an expert when it comes to app development and it is my first time using Streamlit. My expected output is that I would get the claims in my token, as I do get when I authenticate via an external library such as streamlit_msal.

Any help and/or clue as to how I should proceed are welcome. Thank you very much for the attention.

Welcome to the community and thanks for your detailed question! You’re correct that Streamlit 1.53.0+ now allows you to access the access token via st.user.tokens if you set expose_tokens = "access" in your secrets.toml—great job setting that up! However, Streamlit’s built-in OIDC integration currently hardcodes the default scopes to "openid profile email", and does not support overriding or extending the scopes via client_kwargs in secrets.toml. This means your custom scope (api://.../custom) is not being sent to Microsoft Entra, so the access token you receive won’t include the claims or permissions you expect. This limitation is documented in the Streamlit GitHub issues and is not yet resolved in the official release (see here, docs).

If you need to request custom scopes and receive a token with those claims, you’ll need to use a third-party library (like streamlit_msal or streamlit-oauth) for now, as Streamlit’s native st.login does not yet support custom scopes or arbitrary OIDC parameters. The Streamlit team is aware of this gap and there are open feature requests to allow more flexible OIDC parameter configuration in the future (see here). Please consider upvoting those issues to help prioritize the feature!

Sources:

• Allow advanced customization of OIDC/OAuth2 parameters in st.login()
• Streamlit Authentication Concepts: Passing keywords to your identity provider

Hello,
Can we expect a this to be added in a short period of time ? Because the issues you’ve been referring to were openned a year ago.

Thank you very much