Reputation: 57
Azure mulit-tenant application not getting tokens with newly defined scopes
I am developing a Azure multi-tenant application that uses scopes from the Microsoft Graph API and the Windows Azure Active Directory resources. We are using the v1 OpenID auth code flow.
Recently we added a few more requested scopes to the Microsoft Graph API, we prompted users to reauth using prompt=admin_consent and resource=https://graph.microsoft.com on our /common/oauth2/token exchange.
When the user is prompted to accept scopes again you can see the newly requested scopes and the call seems to complete successfully, we receive a new access_token.
However the scopes that come back in the response AND the embedded JWT claim for scopes only lists a small subset of the requested scopes and they also only seem to be from one of the resources (Windows Azure Active Directory).
We are receiving 403s for the new scopes so I do not think it is a issue of not correctly populating those scope fields.
Does anyone know why the auth flow would not return a token with the newly requested scopes?
Here is a listed of my requested scopes:
Windows Azure Active Directory
- Read and write directory data (Application)
- Access the directory as the signed-in user (Delegated)
- Read and write directory data (Delegated)
- Sign in and read user profile (Delegated)
Microsoft Graph
- Read and write calendars in all mailboxes (Application) (NEW)
- Read and write all users' full profiles (Application)
- Read and write directory data (Application)
- Send mail as any user (Application) (NEW)
Thanks!
Upvotes: 1
Views: 346
Answers (1)
Reputation: 507
When you make a token request against AAD v1 by specifying a specific resource, the access token returned will contain only the scopes required to access that specific resource. The details and example of the protocol is documented here.
Therefore, if you need to access two resources you will need to request access token for each of them and the corresponding tokens will contain the scopes specific to that resource.
In this case, if the AAD Graph scopes are available in MS Graph, you can consolidate them under the MS Graph and request a single token for MS Graph. During the auth flow, you can control which of these scopes you want to request consent for by specifying them in the scope field of the auth request as mentioned in the description of the parameter here.
Upvotes: 1
Related Questions
- Why aren't the application permissions being added to my MS Graph token?
- Microsoft Graph API: Getting ErrorAccessDenied for multi-tenant application with application permission
- Microsoft OAuth 2.0 Client Credentials - Unable to retrieve permission to scope even with Granted Admin Consent on Azure
- Unable to get Access Token from a registred application in Azure AD
- MS OAuth 2.0 not working for multi-factor authentication
- Can't connect to azure ad app from different tenants even after setting app as multi tenant
- Unable to get tokens for app using code from azure graph
- Token received from authentication context not working
- Azure AD Token Issuing Endpoint doesn't return "scope" parameter
- Newly created Azure AD Application through code does not generate token with required roles