Warm tip: This article is reproduced from stackoverflow.com, please click
azure-active-directory microsoft-graph msal

Microsoft Authentication request additional scope with Access Token

发布于 2020-04-07 23:20:12

The Microsoft Authentcation is very complex in my eyes. There are so many flows and stuff going!

So what I'm doing currently is

  1. Get a token for a specific scope using the Authorization code flow. I'm using the following scope: https://admin.services.crm.dynamics.com//user_impersonation (as far as I know I can only request a token for a single scope/audience)
  2. The token works fine. I can access the dynamics admin center with the bearer token I received.

What I'm trying to do now is the following:

  • I'm trying to access the Microsoft Graph endpoint to read information about the users AAD.
  • I cannot use the existing token from above, as this one only has the user_importation scope for https://admin.services.crm.dynamics.com/
  • I have to request another token with the scope user.read

That's where I'm stuck. How can I use the existing access_token to request an additional scope?

I can use the oauth2/v2.0/token endpoint in combination with the refresh token to request a token for another scope (user.read). This works fine, but I don't want to use the refresh token for this, but instead use the access_token. Is this even possible and makes sense?

Questioner
Simon
Viewed
76
分享
Joey Cai 2020-01-30 20:06

Is this even possible and makes sense?

No, you could not use access token to get new access token with addition scope.

As you have said, you could use refresh token to request a new access token for another scope. Refresh tokens do not have specified lifetimes. Typically, the lifetimes of refresh tokens are relatively long. Although refresh tokens aren't revoked when used to acquire new access tokens, you are expected to discard the old refresh token. 

POST /{tenant}/oauth2/v2.0/token HTTP/1.1
Host: https://login.microsoftonline.com
Content-Type: application/x-www-form-urlencoded

client_id=6731de76-14a6-49ae-97bc-6eba6914391e
&scope=https://admin.services.crm.dynamics.com/user_impersonation user.read
&refresh_token=OAAABAAAAiL9Kn2Z27UubvWFPbm0gLWQJVzCTE9UkP3pSx1aXxUjq...
&grant_type=refresh_token
&client_secret=JqQX2PNo9bpM0uEihUPzyrh      // NOTE: Only required for web apps

And you could refer to this tutorial.

TiagoBrenck 2020-02-01 04:49:23

I wouldn't recommend this approach. If you are using MSAL, you shouldn't be crafting OAuth endpoints manually. MSAL is built to do that for you. Another cons in this approach is not having this access token in the cache. When you use MSAL to acquire access tokens, you are also including token cache in your application out of the box.

Related issues

1
How to export Extension Attributes from Azure AD to csv using Powershell
2
How to call AAD graph from Ibiza extension
3
Azure AD App Service Authorization for a Blazor App in Azure App Svc
4
Can I configure the SSO SAML with an App Registration (not Enterprise Application)?
5
How to enable tenant restriction in a correct way
6
How to start using Service principal already created to update WorkItem in devops
7
how to do authentication and authorization for the users for the specific regions in azure AD?
8
How to validate the user id token after user password changes in AD B2C
9
How to Validate appid of the Azure AD Access
10
Azure DevOps Test plans for basic User?