The Microsoft Authentcation is very complex in my eyes. There are so many flows and stuff going!
So what I'm doing currently is
https://admin.services.crm.dynamics.com//user_impersonation
(as far as I know I can only request a token for a single scope/audience)What I'm trying to do now is the following:
user_importation
scope for https://admin.services.crm.dynamics.com/
user.read
That's where I'm stuck. How can I use the existing access_token to request an additional scope?
I can use the oauth2/v2.0/token
endpoint in combination with the refresh token to request a token for another scope (user.read
). This works fine, but I don't want to use the refresh token for this, but instead use the access_token. Is this even possible and makes sense?
Is this even possible and makes sense?
No, you could not use access token to get new access token with addition scope.
As you have said, you could use refresh token to request a new access token for another scope. Refresh tokens do not have specified lifetimes. Typically, the lifetimes of refresh tokens are relatively long. Although refresh tokens aren't revoked when used to acquire new access tokens, you are expected to discard the old refresh token.
POST /{tenant}/oauth2/v2.0/token HTTP/1.1
Host: https://login.microsoftonline.com
Content-Type: application/x-www-form-urlencoded
client_id=6731de76-14a6-49ae-97bc-6eba6914391e
&scope=https://admin.services.crm.dynamics.com/user_impersonation user.read
&refresh_token=OAAABAAAAiL9Kn2Z27UubvWFPbm0gLWQJVzCTE9UkP3pSx1aXxUjq...
&grant_type=refresh_token
&client_secret=JqQX2PNo9bpM0uEihUPzyrh // NOTE: Only required for web apps
And you could refer to this tutorial.
I wouldn't recommend this approach. If you are using MSAL, you shouldn't be crafting OAuth endpoints manually. MSAL is built to do that for you. Another cons in this approach is not having this access token in the cache. When you use MSAL to acquire access tokens, you are also including token cache in your application out of the box.