skip to Main Content

I have an asp.net core web api project. This project uses azure entra id for authentication. I have registered 2 apps in this entra one for react client app and second for asp.net core web apis. This web api project has 2 modules one mes which is secured with this scope "api://********-****-****-****-************/Mes" and other user management which required above scope plus these graph api scopes,

 "User.Read",
 "Directory.ReadWrite.All",
 "User.Invite.All"

enter image description here

Now on react app I’m using msal-react and msal-browser for login and attaining token but when i am trying to get a singular token for all these scopes so that I get access to all apis with single token I only get token for either mes scope or graph api scopes

const loginRequest = {
  scopes: [
    "api://********-****-****-****-************/Mes",
    "User.Read",
    "Directory.ReadWrite.All",
    "User.Invite.All",
  ],
};

const handleLogin = async () => {
  try {
    let auth = await instance.loginPopup(loginRequest);
    localStorage.setItem("user", JSON.stringify(auth));
    localStorage.setItem("access_token", auth.accessToken);
    return auth;
  } catch (error) {
    if (error instanceof AuthError && error.errorCode === 'user_cancelled') {
      console.log('User cancelled the login flow');
      return rejectWithValue('User cancelled the login flow');
    } else {
      console.error('Login error:', error);
      throw rejectWithValue(error.message);
    }
  }
};

enter image description here

enter image description here

When I’m requesting all scopes together in login request, its only providing token for graph api, to get token for mes i must request it alone in login request.
Purpose of this question is to find a way that let me get single token for all these scopes.

2

Answers


  1. Simple answer is that you can’t.

    A token can be acquired for multiple scopes if all those scopes belong to same resource. For example, in a single request you can acquire token for User.Read, Directory.ReadWrite.All and User.Invite.All scopes because they are part of Graph API resource.

    To acquire token for your API, you will need to make a separate request as it is a completely different resource.

    Login or Signup to reply.
  2. Note that: You cannot generate access token for multiple resources that is Web API and Microsoft Graph. You need to generate two access token one for API and one for Graph.

    Created a Microsoft Entra ID application and granted below API permissions:

    enter image description here

    Generated access token via Postman by using below parameters:

    https://login.microsoftonline.com/TenantID/oauth2/v2.0/token
    
    client_id:ClientID
    scope:api://XXX/readaccess User.Read Directory.ReadWrite.AlL User.Invite.All
    grant_type:authorization_code
    code:code
    redirect_uri:https://jwt.ms
    client_secret:ClientSecret
    

    enter image description here

    • The access token got generated with the scope as api://XXX/readaccess but Microsoft Graph scope isn’t included in the access token.
    • If you are passing multiple resources, then while generating the access token it will consider only the first scope while generating the access token.
    • Hence, generate separate tokens for different resources.

    Reference:

    I want to get multiple access token for my multiple scopes. How can I do that with only one user sign in? – Microsoft Q&A by Shweta Mathur

    Login or Signup to reply.
Please signup or login to give your own answer.
Back To Top
Search