Share via

I want to get multiple access token for my multiple scopes. How can I do that with only one user sign in?

Roman 0 Reputation points
2023-06-22T18:43:26.8533333+00:00

I've got an app registered with Azure AD. Registration includes one scope for MS Graph and five for my protected resources. I want my user to log in and thus my app will get access for all protected services.

First my app opens a browser with url pointing to oauth2/v2.0/authorize with all parameters given including one of these six scopes. User enters login and password stuff and browser redirects to a redirect endpoint where my http server listens a response. So I have authorization_code for a given scope. With this authorization_code my app can visit a oauth2/v2.0/token endpoint and get an access_token for a given scope. The question is: what I have to do to get another authorization_code for another access_token. I cannot use previous authorization_code for a request for another access_token because it cannot be redeemed. It would be not a good idea to make a user do a login procedure several times.

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
22,174 questions

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Shweta Mathur 29,856 Reputation points Microsoft Employee
    2023-06-27T06:53:18.76+00:00

    Hi @Roman ,

    Thanks for reaching out.

    I understand you are trying to retrieve access tokens with multiple scopes.

    Unfortunately, this can't be achieved as you can't mix the resources. The access token is issued according to the API audience which identifies the intended recipient of the token you want to access, and this should be unique.

    The Microsoft identity platform does not allow you to get a token for several resources at once.

    When using the Microsoft Authentication Library for .NET (MSAL.NET), the scopes parameter in the acquire token method should only contain scopes for a single resource. However, you can pre-consent to several resources upfront by specifying additional scopes using the .WithExtraScopeToConsent builder method.

    This will get you an access token for the first web API. Then, to access the second web API you can silently acquire the token from the token cache.

    string[] scopesForCustomerApi = new string[]
{
  "https://mytenant.onmicrosoft.com/customerapi/customer.read",
  "https://mytenant.onmicrosoft.com/customerapi/customer.write"
};
string[] scopesForVendorApi = new string[]
{
 "https://mytenant.onmicrosoft.com/vendorapi/vendor.read",
 "https://mytenant.onmicrosoft.com/vendorapi/vendor.write"
};

var accounts = await app.GetAccountsAsync();
var result = await app.AcquireTokenInteractive(scopesForCustomerApi)
                     .WithAccount(accounts.FirstOrDefault())
                     .WithExtraScopeToConsent(scopesForVendorApi)
                     .ExecuteAsync();

    Hope this will help.

    Thanks,

    Shweta

    Please remember to "Accept Answer" if answer helped you.

    1 person found this answer helpful.
    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.