Welcome to OStack Knowledge Sharing Community for programmer and developer-Open, Learning and Share
Welcome To Ask or Share your Answers For Others

Categories

0 votes
1.2k views
in Technique[技术] by (71.8m points)

azure - Multiple resources in a single authorization request

We currently use the following authorize url: https://login.microsoftonline.com/common/oauth2/authorize?resource=https%3A%2F%2Foutlook.office365.com

We want to also use the Graph API, so I added the following: https://login.microsoftonline.com/common/oauth2/authorize?resource=https%3A%2F%2Foutlook.office365.com%2F%26https%3A%2F%2Fgraph.microsoft.com

I've tried different delimiters between the two resources, but couldn't get it to work. Each one resource works separately. I hope that more than 1 resource at a time is supported?

See Question&Answers more detail:os

与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
Welcome To Ask or Share your Answers For Others

1 Answer

0 votes
by (71.8m points)

I think what you're trying to do here by passing multiple values to resource parameter directly will not work (probably not a supported scenario, but I'll wait till someone from Microsoft confirms or I find Azure AD documentation stating exactly that. In the meanwhile, here's an old blog post that says something like this, but it's a blog talking about SSO and old from 2014 :), so don't want to rely solely on this.)

Below I'm explaining how you can make this scenario work by reusing refresh tokens and without passing both resource ids in same call. (NOTE: This approach will work for Authorization Code Grant Flow but not for Implicit grant flow like a JavaScript based SPA, because no refresh token is returned in that case)

  • Once the authorization code is available from authorize endpoint, you go to Azure AD token endpoint requesting token for a single resource (using REST call to endpoint or something like ADAL library AcquireToken method depending on your application requirements)
  • You get back an access token + refresh token as a response to your call to token endpoint. The access token is valid for resource that was mentioned in first call (say graph.microsoft.com)
  • Then using refresh token you just got, you make another call to token endpoint (REST or ADAL AcquireTokenSilent so that there isn't a popup to ask for user credentials this second time) and get a token for the second resource by specifying the 2nd resource id in case of this call
  • The access token you get this time is valid for the 2nd resource.
  • In fact you can continue doing this and hence the name Multi-resource refresh tokens shows up in some places. Although now all refresh tokens are supposed to be multi-resource or valid to be used for requesting any resource that your application has consent for.

Links that can help you in understanding further and implementation


与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
Welcome to OStack Knowledge Sharing Community for programmer and developer-Open, Learning and Share
Click Here to Ask a Question

...