Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Get multiple bearer token for multiple scopes #83

Open
plemm98 opened this issue Dec 22, 2020 · 1 comment
Open

Get multiple bearer token for multiple scopes #83

plemm98 opened this issue Dec 22, 2020 · 1 comment

Comments

@plemm98
Copy link

plemm98 commented Dec 22, 2020

Hi,

In the "Index" method of the "TasksController", there is an exemple on how to retrieve a bearer token for the "https://fabrikamb2c.onmicrosoft.com/tasks/read" scope. It's working perfectly.

Now, let's add a little twist. Instead of retrieving only one bearer token, let's say i want to retrieve two bearers token but with different scope :

Ex : https://app1.onmicrosoft.com/tasks/read and https://app2.onmicrosoft.com/car/write

My understanding is that the authorization code receive in the "OnAuthorizationCodeReceived" method of the "Startup" class can only be use once to obtain a bearer token for one of the previous scope. If you try to use it more then once, the second "access_token" will be null.

In the method, this code return a valid access_token for the first scope

            var scope = new string[] { Globals.ReadTasksScope };
            
            IConfidentialClientApplication cca = MsalAppBuilder.BuildConfidentialClientApplication();
            var accounts = await cca.GetAccountsAsync();
			AuthenticationResult result = await cca.AcquireTokenSilent(scope, accounts.FirstOrDefault()).ExecuteAsync();
            
            HttpClient client = new HttpClient();
            HttpRequestMessage request = new HttpRequestMessage(HttpMethod.Get, apiEndpoint);

            // Add token to the Authorization header and make the request
            request.Headers.Authorization = new AuthenticationHeaderValue("Bearer", result.AccessToken);

Since the access_token already exist in the msal cache, no call is record in fiddler to retrieve the access token.

Then, I try to use this code to retrieve the second access_token

            var scope2 = new string[] { "https://merveilleuxb2c.onmicrosoft.com/FAKE_INFO/Task2" };
            var claimsPrincipal = ClaimsPrincipal.Current;
            var objIdclaim = claimsPrincipal.FindFirst(ClaimTypes.NameIdentifier);

            string signedInUserID = objIdclaim.Value;

            IConfidentialClientApplication clientapp = ConfidentialClientApplicationBuilder.Create(Globals.ClientId)
                  .WithClientSecret(Globals.ClientSecret)
                  .WithRedirectUri(Globals.RedirectUri)
                  .WithB2CAuthority(Globals.B2CAuthority)
                  .Build();
            new MSALPerUserMemoryTokenCache(clientapp.UserTokenCache, ClaimsPrincipal.Current);

            var accounts2 = await cca.GetAccountsAsync();
            AuthenticationResult result2 = await clientapp.AcquireTokenSilent(scope2, accounts.FirstOrDefault()).ExecuteAsync();

This time, in fiddler, there is an API call to the /token endpoint using the refresh_token found in the msal cache. But, the access_token return is null.

So, using the refresh_token, is it possible to retrieve additional scope for multiple web api? If not, how can I achieve this?

Best regards,

@jmprieur
Copy link
Contributor

jmprieur commented Jan 4, 2021

@nickgmicrosoft

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

2 participants