I want access tokens with multiple scopes including http

Question

·Task I want to include multiple scopes and allow access for those scopes with the same access token. I have configured Azure AD as per the attached image. This condition was specified as follows, and an access token was issued with multiple scopes included. curl -X POST -H "Content-Type: application/x-www-form-urlencoded;charset=UTF-8"
--data-urlencode "client_id=<client_id>"
--data-urlencode "client_secret=<client_secret>"
--data-urlencode "username=testuser@thoughtspot.com"
--data-urlencode "password=*****"
--data-urlencode "grant_type=password"
--data-urlencode "scope=https://<application_id>/session:role-any email openid profile"
https://login.microsoftonline.com/<tenant_id>/oauth2/v2.0/token

When I visualized the issued access token on the following site, only session:role-any was included in the access token. https://jwt.ms/

By the way, when I included only the email openid profile in the scope, the email openid profile was included in the access token.

·question How can I include multiple (session:role-any email openid profile) tokens above in the access token? Also, is this even possible?

·Reference site https://docs.thoughtspot.com/cloud/latest/connections-snowflake-azure-ad-oauth I may be wrong. If so, please let me know the correct way of thinking.

Answer 1

Hello, is not possible to include scopes for different resources in the same Azure AD access token request. You should do a request per resource. That being said, email, openid and profile are OpenID scopes which are scopes for ID tokens. You can request both an access token and ID token using the same request, this is called Hybrid flow. Set the authorization URL response_type param to id_token+token. E.g.

// Line breaks for legibility only
https://login.microsoftonline.com/{tenant}/oauth2/v2.0/authorize?
// + other params

Let us know if you need additional assistance. If the answer was helpful, please accept it so that others can find a solution.