Missing `scopes` param for Microsoft Entra ID

[robingenz]

Hi! Firstly, thanks for your work on this project!

Today I patched arctic@3.7.0 for the project I'm working on. The problem was the following error message when calling MicrosoftEntraId.validateAuthorizationCode(...) which does not provide a scopes parameter:

{
    code: 'invalid_request',
    description: 'AADSTS28003: Provided value for the input parameter scope cannot be empty
  when requesting an access token using the provided authorization code. Please specify a valid
  scope. Trace ID: xxx Correlation ID: xxx Timestamp: 2025-10-25 15:28:01Z',
    uri: null,
    state: null
  }

Here is the diff that solved my problem:

diff --git a/node_modules/arctic/dist/providers/microsoft-entra-id.d.ts b/node_modules/arctic/dist/providers/microsoft-entra-id.d.ts
index 3208c3f..bf16728 100644
--- a/node_modules/arctic/dist/providers/microsoft-entra-id.d.ts
+++ b/node_modules/arctic/dist/providers/microsoft-entra-id.d.ts
@@ -7,6 +7,6 @@ export declare class MicrosoftEntraId {
     private redirectURI;
     constructor(tenant: string, clientId: string, clientSecret: string | null, redirectURI: string);
     createAuthorizationURL(state: string, codeVerifier: string, scopes: string[]): URL;
-    validateAuthorizationCode(code: string, codeVerifier: string): Promise<OAuth2Tokens>;
+    validateAuthorizationCode(code: string, codeVerifier: string, scopes: string[]): Promise<OAuth2Tokens>;
     refreshAccessToken(refreshToken: string, scopes: string[]): Promise<OAuth2Tokens>;
 }
diff --git a/node_modules/arctic/dist/providers/microsoft-entra-id.js b/node_modules/arctic/dist/providers/microsoft-entra-id.js
index 6c3a21f..2c12fef 100644
--- a/node_modules/arctic/dist/providers/microsoft-entra-id.js
+++ b/node_modules/arctic/dist/providers/microsoft-entra-id.js
@@ -27,7 +27,7 @@ export class MicrosoftEntraId {
         }
         return url;
     }
-    async validateAuthorizationCode(code, codeVerifier) {
+    async validateAuthorizationCode(code, codeVerifier, scopes) {
         const body = new URLSearchParams();
         body.set("grant_type", "authorization_code");
         body.set("code", code);
@@ -36,6 +36,9 @@ export class MicrosoftEntraId {
         if (this.clientSecret === null) {
             body.set("client_id", this.clientId);
         }
+        if (scopes.length > 0) {
+            body.set("scope", scopes.join(" "));
+        }
         const request = createOAuth2Request(this.tokenEndpoint, body);
         if (this.clientSecret !== null) {
             const encodedCredentials = encodeBasicCredentials(this.clientId, this.clientSecret);

Would a PR be welcome?