·Task
I want to include multiple scopes and allow access for those scopes with the same access token. I have configured Azure Active Directory as per the attached image. This condition was specified as follows, and an access token was issued with multiple scopes included.
curl -X POST -H "Content-Type: application/x-www-form-urlencoded;charset=UTF-8" --data-urlencode "client_id=<client_id>" --data-urlencode "client_secret=<client_secret>" --data-urlencode "username=testuser@thoughtspot.com" --data-urlencode "password=*****" --data-urlencode "grant_type=password" --data-urlencode "scope=https://<application_id>/session:role-any email openid profile" https://login.microsoftonline.com/<tenant_id>/oauth2/v2.0/token
·question
How can I include multiple (session:role-any email openid profile) tokens above in the access token? Also, is this even possible?
·Reference site
https://docs.thoughtspot.com/cloud/latest/connections-snowflake-azure-ad-oauth
I may be wrong. If so, please let me know the correct way of thinking.
I tried to reproduce the same in my environment and got the results like below:
I agree with junnas , access token does not work with multiple scopes. So, you need to generate two access token one for API and one for Graph.
I generated the access token for two scopes like below:
https://login.microsoftonline.com/TenantID/oauth2/v2.0/token
client_id:ClientID
client_secret:ClientSecret
username:admin@xxxx.onmicrosoft.com
password:*****
grant_type:password
scope:api://*****/app.test email openid profile
Note that: If you are passing two scopes, then it will consider only the first scope while generating the access token.
The decoded access token shows only the API scope like below:
The aud
doesn't include Microsoft Graph scope and hence doesn't authorize Graph calls.
So, make sure to generate two access tokens separately, one for API scope and another for Graph scope.
I tried to generate the access token for the Microsoft Graph scope like below:
The decoded token contains Microsoft Graph scope and audience like below:
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.