Share via

OAuth2 workflow with XboxLive and OpenID

Loïc Frasse-Mathon 1 Reputation point
2022-12-01T14:56:37.547+00:00

Hello,

I am trying to build a web app using Microsoft to authenticate our users, and I'm facing a problem with the OAuth process.

Basically, we need multiple scopes for this, first is XboxLive.signin offline_access for getting their Xbox information and verifying they own a game, and then we need OpenID or Graph to get their email adress (we would also need their birthdate for validating they are old enough for GDPR compliance, but I didn't find how to get it).

Unfortunately, when calling the /oauth2/v2.0/token endpoint, the only token being returned is the XboxLive one, which doesn't work for OpenID or Graph.
I can't call that endpoint twice for both scopes since the auth code is getting invalidated directly after the first call.

The best workaround I found is reading the content of the id_token JWT returned along the XboxLive token, seems to be working for getting the email, but the docs are saying its format must not be trusted.

Do you have any solution for that or general guidance on how to get around that issue ? I have checked the docs and couldn't find anything useful for that.

Regards,
Loïc

Microsoft Security | Microsoft Entra | Microsoft Entra ID
Microsoft Security | Microsoft Graph

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Shweta Mathur 30,426 Reputation points Microsoft Employee Moderator
    2022-12-05T10:33:54.297+00:00

    Hi @LoicFrasseMathon,

    I understand you are trying to retrieve access token with multiple scopes.

    Unfortunately, there is no high priority scope to achieve this as you can't mix two resources XboxLive.signin offline_access and Microsoft Graph. The access token is issued according to the API audience which identifies the intended recipient of the token you want to access, and this should be unique.

    The Microsoft identity platform does not allow you to get a token for several resources at once.

    Although you can use .WithExtraScopeToConsent method in your application which will allow you to silently get the token for another API after calling first webAPI.

    Reference: https://learn.microsoft.com/en-us/azure/active-directory/develop/msal-net-user-gets-consent-for-multiple-resources

    Hope this will help.

    Thanks,
    Shweta

    ---------------------------

    Please remember to "Accept Answer" if answer helped you.

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.