Question 103478 in Azure Question posted in
The official documentation to get you started can be found here.

Azure – How get access token for another resource using Microsoft OAuth

The user logs in with

https://login.live.com/oauth20_authorize.srf

Parameters:
client_id=<CLIENT_ID>
response_type=code
scope=XboxLive.signin offline_access
redirect_uri=<REDIRECT_URL>

And gets an authorization_code M.R3_BAY.5530f5eb…

When using:

https://login.live.com/oauth20_token.srf

grant_type=authorization_code
client_id=<CLIENT_ID>
scope=Xboxlive.signin Xboxlive.offline_access
code=M.R3_BAY.5530f5eb...
redirect_uri=https://localhost/oauth_success
client_secret=<CLIENT_SECRET>

Getting access_token and refresh_token.

I want to use one of these tokens to get another access_token and refresh_token of scopes {https://graph.microsoft.com/.default openid offline_access}. I don’t want the user to reauthenticate.

Something like that:

https://login.microsoftonline.com/common/oauth2/v2.0/token

client_id=<CLIENT_ID>
scope=https://graph.microsoft.com/.default openid offline_access
refresh_token=M.R3_BL2.-CTnwtvT1!SRhk...
grant_type=refresh_token
client_secret=<CLIENT_SECRET>

But it gives me: The request was denied because one or more scopes requested are unauthorized or expired. The user must first sign in and grant the client application access to the requested scope

  • I have found how to do this in MSAL using WithExtraScopeToConsent. But I’ve only found this in MSAL.NET and MSAL.JS. I couldn’t find it in MSAL4J. But I’d like to do it with a simple request, without using third-party libraries.
Tags:

2

Answers


  1. 0

    From the screenshot it looks like the "&" is missing in the code, here is the sample code for getting the access token:

    enter image description here

    For more information: https://learn.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-on-behalf-of-flow#example

    Login or Signup to reply.
  2. 0

    I tried to reproduce the same in my environment and got the results as below:

    I generated the auth code using below authorize endpoint:

    https://login.microsoftonline.com/common/oauth2/v2.0/authorize? 
client_id=ClientID
&response_type=code  
&redirect_uri=https://jwt.ms
&response_mode=query  
&scope=https://graph.microsoft.com/.default openid offline_access
&state=12345

    enter image description here

    I generated the access token using authorization code flow as below:

    https://login.microsoftonline.com/common/oauth2/v2.0/token 

client_id:ClientID
grant_type:authorization_code
code:code
redirect_uri:https://jwt.ms
scope:https://graph.microsoft.com/.default openid offline_access
client_secret:ClientSecret

    enter image description here

    Now by using On-Behalf-Of flow, I generated the access token using below parameters:

    https://login.microsoftonline.com/common/oauth2/v2.0/token 

client_id:ClientID
client_secret:ClientSecret
scope:https://graph.microsoft.com/.default 
grant_type:urn:ietf:params:oauth:grant-type:jwt-bearer
assertion:accesstokengeneratedabove
requested_token_use:on_behalf_of

    enter image description here

    Reference:

    GitHub – A Java Web API that calls another web API with the Microsoft identity platform using the On-Behalf-Of flow

    Login or Signup to reply.
Please signup or login to give your own answer.

Back To Top
Search