question

SC-5826 avatar image
0 Votes"
SC-5826 asked amanpreetsingh-msft edited

Azure application & graphapi scope

Hi,

I have an application xxx-client and a custom application scope defined as xxx-app.
145319-image.png

By defining the scope xxx-app in the v2-oauth2-auth-code-flow,
I am able to fetch the custom roles claim like 'Role.Reader'.

 {
   "typ": "JWT",
   "alg": "RS256",
   "kid": "l3sQ-50cCH4xBVZLHTGwnSR7680"
 }.{
   "roles": [
     "Role.Reader",
     "Role.Writer"
   ],
   "scp": "xxx",
   ....
   "ver": "2.0"
 }.[Signature]

When I define multiple scopes. like (User.Read, api://xxxxApp/xxxx) or (api://xxxxApp/xxxx, User.Read)
I got the graph api claims or the roles claims (depends of the scope orders) but not both of the claims.

 {
   "typ": "JWT",
   "nonce": "xxxxx",
   "alg": "RS256",
   "x5t": "xxx",
   "kid": "xxxx"
 }.{
   "scp": "email openid profile User.Read User.ReadBasic.All",
   "signin_state": [
     "dvc_mngd",
     "dvc_dmjd",
     "kmsi"
   ],
   .....
 }.[Signature]

Is it possible to get App roles and graph api claims in a single oauth2 code flow ?


azure-ad-authenticationmicrosoft-graph-permissionsazure-app-configurationazure-webapps-authentication
image.png (6.2 KiB)
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

1 Answer

amanpreetsingh-msft avatar image
1 Vote"
amanpreetsingh-msft answered amanpreetsingh-msft edited

Hi @SC-5826 • Thank you for reaching out.

Unfortunately, Azure AD doesn't support multiple audiences claim as of now. Which means, you can either specify Graph API scopes or your custom API scopes in a given authentication request.

At this time, we view unbound multi-audience tokens as a security threat that we do not support. Multi-audience bearer tokens can be replayed from one audience to the other insecurely, allowing an attacker who compromises one service to expand their footprint unnecessarily.

Our product team is investigating on proof of possession scheme, to securely support multi-audience tokens that are sender constrained. Hopefully, this will be supported in near future.


Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.