Reputation: 1591
Azure AD Oauth2 implicit grant multiple scopes
I have a number of angularJS application that access a number of nodeJS hosted API's. and I would like to replace the bespoke authorization framework with Azure AD implicit grant (long story how I arrived there ..)
Currently going through a POC (based on Microsoft example ) and have hit a problem with obtaining a single access token to be used against number of API's
Both ui's and API's have been registered with AZURE AD Application. Also have configured a number of permissions so they are authorized to call the API's e.g. https://graph.windows.net/User.Read api://xxx-xxx-xxxx-xx-xxxx/sales.admin
I then define in the client
var requestObj = {
scopes: ["https://graph.windows.net/User.Read", "api://xxx-xxx-xxxx-xx-xxxx/sales.admin" ]
};
So naively I thought I will be able to get an access token that I can use against multiple API's
However, looks like that is not the case. The client app has to create separate access tokens for each API the application needs to access.
Is this right ? This adds lot's of complexity on the client as it needs to maintain and refresh those tokens.
Am I missing something on the 'architecture' e.g. API Management layer ?
Thanks
Nick
Upvotes: 5
Views: 6226
Answers (1)
Reputation: 58853
This is correct. An access token only works for a single API.
The reason is that each token specifies its valid "audience" (stored in the aud claim). This identifies the intended target (API) of the token.
Also, MS Graph API uses an entirely different signing algorithm to other APIs, and so would not be able to even be in the same token anyway.
APIs can set various settings in their manifests that affect the tokens in various ways. This also makes it quite impossible to have one token that would work on all APIs.
If you wish, you can simplify it for your client by creating an "API gateway", which proxies the calls to the right APIs with the right tokens. This gateway would handle the complexity of tokens then instead of the client, which would only need to authenticate to the gateway. Look into On-behalf-of grant flow to see how the gateway can call APIs as the signed-in user.
Upvotes: 5
Related Questions
- I want access tokens with multiple scopes including http
- Cannot request custom scope from Graph API with clientCredential flow
- How to get access token for azure AD Auth
- How to authorize Node.js API with Azure AD?
- Access token doesn't contain all the requested scopes
- Passing multiple scope values to Oauth token endpoint
- Azure OAuth2 Client Credential flow - getting token for multiple scopes throws error
- How to connect to multiple azure active directory account to your application?
- Scope/Roles claim not available in the Client Credentials access token
- Group claims with Azure AD and OAuth2 implicit grant in ADAL JS