stackoom
  简体   繁体   中英

I want access tokens with multiple scopes including http

 原文  2023-01-30 08:42:14       azure/ active-directory

Question

·Task
I want to include multiple scopes and allow access for those scopes with the same access token. I have configured Azure Active Directory as per the attached image. This condition was specified as follows, and an access token was issued with multiple scopes included. 

 curl -X POST -H "Content-Type: application/x-www-form-urlencoded;charset=UTF-8" --data-urlencode "client_id=<client_id>" --data-urlencode "client_secret=<client_secret>" --data-urlencode "username=testuser@thoughtspot.com" --data-urlencode "password=*****" --data-urlencode "grant_type=password" --data-urlencode "scope=https://<application_id>/session:role-any email openid profile" https://login.microsoftonline.com/<tenant_id>/oauth2/v2.0/token
When I visualized the issued access token on the following site, only session:role-any was included in the access token.
https://jwt.ms/
By the way, when I included only the email openid profile in the scope, the email openid profile was included in the access token.

·question
How can I include multiple (session:role-any email openid profile) tokens above in the access token? Also, is this even possible?

·Reference site
https://docs.thoughtspot.com/cloud/latest/connections-snowflake-azure-ad-oauth
I may be wrong. If so, please let me know the correct way of thinking. 在此处输入图像描述

1 answers

solution1
 1  2023-01-30 09:28:45

I tried to reproduce the same in my environment and got the results like below:

I agree with junnas , access token does not work with multiple scopes. So, you need to generate two access token one for API and one for Graph.

I generated the access token for two scopes like below:

https://login.microsoftonline.com/TenantID/oauth2/v2.0/token

client_id:ClientID
client_secret:ClientSecret
username:admin@xxxx.onmicrosoft.com 
password:*****
grant_type:password
scope:api://*****/app.test email openid profile

在此处输入图像描述

Note that: If you are passing two scopes, then it will consider only the first scope while generating the access token.

The decoded access token shows only the API scope like below:

在此处输入图像描述

The aud doesn't include Microsoft Graph scope and hence doesn't authorize Graph calls.

So, make sure to generate two access tokens separately, one for API scope and another for Graph scope.

I tried to generate the access token for the Microsoft Graph scope like below:

在此处输入图像描述

The decoded token contains Microsoft Graph scope and audience like below:

在此处输入图像描述

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Cognito User Pools & Access Tokens Allowing multiple emails with custom tokens Is there any way that I can get Google access tokens only using API? GCP permissions: access scopes and custom IAM service account roles I want to merge multiple records into a single record in BigQuery I want to merge multiple records into a single record in BigQuery Google OAuth Refresh Tokens not returning Valid Access Tokens How to create project access tokens in gitlab? Getting Access Tokens with Cognito using Username and Password Why does gcloud crash when multiple scopes are passed?
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM