I want access tokens with multiple scopes including http

Yohei Nishioka 20 Reputation points
2023-01-30T08:12:28.03+00:00

·Task I want to include multiple scopes and allow access for those scopes with the same access token. I have configured Azure AD as per the attached image. This condition was specified as follows, and an access token was issued with multiple scopes included. curl -X POST -H "Content-Type: application/x-www-form-urlencoded;charset=UTF-8"
--data-urlencode "client_id=<client_id>"
--data-urlencode "client_secret=<client_secret>"
--data-urlencode "username=testuser@thoughtspot.com"
--data-urlencode "password=*****"
--data-urlencode "grant_type=password"
--data-urlencode "scope=https://<application_id>/session:role-any email openid profile"
https://login.microsoftonline.com/<tenant_id>/oauth2/v2.0/token

When I visualized the issued access token on the following site, only session:role-any was included in the access token. https://jwt.ms/

By the way, when I included only the email openid profile in the scope, the email openid profile was included in the access token.

·question How can I include multiple (session:role-any email openid profile) tokens above in the access token? Also, is this even possible?

·Reference site https://docs.thoughtspot.com/cloud/latest/connections-snowflake-azure-ad-oauth I may be wrong. If so, please let me know the correct way of thinking.

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
18,610 questions
0 comments No comments
{count} votes

Accepted answer
  1. Alfredo Revilla (MSFT) 26,821 Reputation points
    2023-01-30T23:48:22.0533333+00:00

    Hello, is not possible to include scopes for different resources in the same Azure AD access token request. You should do a request per resource. That being said, email, openid and profile are OpenID scopes which are scopes for ID tokens. You can request both an access token and ID token using the same request, this is called Hybrid flow. Set the authorization URL response_type param to id_token+token. E.g.

    // Line breaks for legibility only
    https://login.microsoftonline.com/{tenant}/oauth2/v2.0/authorize?
    // + other params
    

    Let us know if you need additional assistance. If the answer was helpful, please accept it so that others can find a solution.

    1 person found this answer helpful.
    0 comments No comments

0 additional answers

Sort by: Most helpful