Microsoft Authentication request additional scope with Access Token

0
votes

The Microsoft Authentcation is very complex in my eyes. There are so many flows and stuff going!

So what I'm doing currently is

  1. Get a token for a specific scope using the Authorization code flow. I'm using the following scope: https://admin.services.crm.dynamics.com//user_impersonation (as far as I know I can only request a token for a single scope/audience)
  2. The token works fine. I can access the dynamics admin center with the bearer token I received.

What I'm trying to do now is the following:

  • I'm trying to access the Microsoft Graph endpoint to read information about the users AAD.
  • I cannot use the existing token from above, as this one only has the user_importation scope for https://admin.services.crm.dynamics.com/
  • I have to request another token with the scope user.read

That's where I'm stuck. How can I use the existing access_token to request an additional scope?

I can use the oauth2/v2.0/token endpoint in combination with the refresh token to request a token for another scope (user.read). This works fine, but I don't want to use the refresh token for this, but instead use the access_token. Is this even possible and makes sense?

2
azure-active-directorymicrosoft-graph-apimsal
What platform are you developing for? Can you share the code for how you're obtaining the token in the first place?Philippe Signoret

2 Answers

0
votes

Is this even possible and makes sense?

No, you could not use access token to get new access token with addition scope.

As you have said, you could use refresh token to request a new access token for another scope. Refresh tokens do not have specified lifetimes. Typically, the lifetimes of refresh tokens are relatively long. Although refresh tokens aren't revoked when used to acquire new access tokens, you are expected to discard the old refresh token. 

POST /{tenant}/oauth2/v2.0/token HTTP/1.1
Host: https://login.microsoftonline.com
Content-Type: application/x-www-form-urlencoded

client_id=6731de76-14a6-49ae-97bc-6eba6914391e
&scope=https://admin.services.crm.dynamics.com/user_impersonation user.read
&refresh_token=OAAABAAAAiL9Kn2Z27UubvWFPbm0gLWQJVzCTE9UkP3pSx1aXxUjq...
&grant_type=refresh_token
&client_secret=JqQX2PNo9bpM0uEihUPzyrh      // NOTE: Only required for web apps

And you could refer to this tutorial.

0
votes

The scenario that you are looking for is called incremental consent. This is totally doable with MSAL. It would be great to know what platform are you developing by the way.

What you can do is to request an access token for user.read and expects MsalUiRequiredException to be thrown. In its catch, you make an interactive call with user.read as scope. With this approach, you will be implementing the incremental consent. Note that user_impersonation will still be available to use after this, and your token cache will now have both scopes.