How can I use both Microsoft Graph and Office 365 scopes in an OAuth 2 Request?

1
votes

I'm requesting an OAuth2.0 token from https://login.microsoftonline.com/common/oauth2/v2.0/authorize. I'm requesting these scopes:

[
 'https://graph.microsoft.com/User.Read', 
 'https://graph.microsoft.com/Calendars.Read.Shared', 
 'offline_access', 
 'profile', 
 'email', 
 'https://outlook.office.com/mail.read'
]

I'm trying to get both a Microsoft Graph scope and an Office 365 scope, but it gives me:

AADSTS70011: The provided value for the input parameter 'scope' is not valid. The scope https://graph.microsoft.com/User.Read https://graph.microsoft.com/Calendars.Read.Shared offline_access profile email https://outlook.office.com/mail.read is not valid

If I take out the outlook.office.com scope or both of the graph.microsoft.com scopes then it works.

Is there a way to have access to both?

2
oauth-2.0microsoft-graph-api

2 Answers

1
votes

Requesting permissions for two resources in the same request is not supported in the v2.0 auth model, try separating the requests, you will be able to access both APIs as long as you are getting an access token for each resource audience.

0
votes

Here is a different approach, which allows you to access multiple resources, with only one login request (but different access tokens).

Depending the flow used, a refresh token should be returned to you, which can get you an access token for a different resource.

Retrieving access tokens

  1. Get a token A (along with a refresh token) by requesting only scopes from one resource (e.g. Graph).
  2. Get a token B using a token refresh request, by requesting only scopes from the other resource (Office 365)

In your case, the token refresh raw HTTP request would look like this (auth code flow):

POST /common/oauth2/v2.0/token HTTP/1.1
Host: https://login.microsoftonline.com
Content-Type: application/x-www-form-urlencoded

client_id=xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
&scope=https://outlook.office.com/mail.read
&refresh_token=...
&grant_type=refresh_token
&client_secret=...

Note to above: Line breaks in body added for legibility. scope should be url encoded.

You now have two tokens: A which works for Graph, and B which works for Office 365.

Multi-resource refresh token required

Only multi-resource refresh tokens can be used. You can check for support in the openid-configuration. To display the tenant-specific configuration, replace common in the url, with the tenant domain.

microsoft_multi_refresh_token: OPTIONAL. A Boolean value that indicates whether the OpenID provider supports multi-resource refresh tokens, which are refresh tokens that can be redeemed for an access token for any resource registered with the AD FS server.

https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-oidce/586de7dd-3385-47c7-93a2-935d9e90441c