Context
For a case I am required to work with a private Azure API, lets call it MYTESTAPI. MYTESTAPI contains a few scopes so it is able to access our .net core API. This works great because I am making the token request with:
api://{clientid}/mytestapi.scope
I am getting a token back and with the token I can access our API. I have an Angular client with an external library called angular-oauth-oidc-client. This is working till an extend as I work with the (not recommmended) implicit flow and silent renew.
Now I have my Angular app set up so I am connecting through Azure AD to our Private API. BUT the issue is, I am required to get UserInfo too. This comes from 'https://graph.microsoft.com/oidc/userinfo'. So what I tried to do was add: openid, profile to the scopes so I am able to use the graph API to get basic profile info.
scopes: 'openid profile api://{clientid}/mytestapi.scope'
When I decode the generated token, I do not see openid or profile added to the "scp" part. And the userinfo request returns a 401: Unauthorized. It seems like I need to configure something in Azure Portal to make this work.
My probable solution is to configure the azure API in a way that 'mytestapi.scope' will grant permission to access parts of the graph API.
Feel free to ask any required context or questions.
Question:
- Is it even possible to grant graph permissions to a private API and if so is it recommended or is there a better solution and how?
