Microsoft-identity-web: [FEATURE REQ] : Passing scopes to EnableTokenAcquisitionToCallDownstreamApi() vs AddMicrosoftGraph()

Created on 20 Jan 2021  路  4Comments  路  Source: AzureAD/microsoft-identity-web

We need to streamline and document the right way to pass scopes to EnableTokenAcquisitionToCallDownstreamApi() vs AddMicrosoftGraph()

What is the difference between passing scopes to EnableTokenAcquisitionToCallDownstreamApi vs AddMicrosoftGraph
Which one should be used?

            //Sign -in users with the Microsoft identity platform(MSAL)
            services.AddAuthentication(OpenIdConnectDefaults.AuthenticationScheme)
                .AddMicrosoftIdentityWebApp(Configuration.GetSection("AzureAd"))
                .EnableTokenAcquisitionToCallDownstreamApi()
                .AddMicrosoftGraph(defaultScopes: "User.Read User.ReadBasic.All")
                .AddInMemoryTokenCaches();
            services.AddAuthentication(OpenIdConnectDefaults.AuthenticationScheme)
                .AddMicrosoftIdentityWebApp(Configuration.GetSection("AzureAd"))
                .EnableTokenAcquisitionToCallDownstreamApi(initialScopes: new string[] { "User.Read", "User.ReadBasic.All" })
                .AddMicrosoftGraph()
                .AddInMemoryTokenCaches();

Can we change AddMicrosoftGraph() to accept an array of scopes instead of scopes separated by space?

.AddMicrosoftGraph(defaultScopes: new string[] { "User.Read", "User.ReadBasic.All" })
P2 enhancement spec'ing supportability

Most helpful comment

Thanks @KalyanChanumolu-MSFT for the update
We can have a override to AddMicrosoftGraph to accept an array of scopes (even with a params)

@jennyf19 proposing to do something about this one.

All 4 comments

@KalyanChanumolu-MSFT
Thanks for the heads-up
The former uses a property which is rather used in the configuration. The second indeed, pre-requests the scopes
We might want to improve this to make it more consistent

Note, however, that you shouldn't have an infinite loop. Did you use the [AuthorizeForScopes] attribute in your controller or pages ? See https://github.com/AzureAD/microsoft-identity-web/wiki/Managing-incremental-consent-and-conditional-access

Adding an enhancement label, so that we try to register the initialScopes if not passed to EnableTokenAcquisitionToCallDownstreamApi (if possible)

@jmprieur The infinite loop is happening because of an unrelated issue with MyApps where revoked consent is not getting applied. I will edit the title.

But we need to streamline and document the difference in passing scopes to the 2 methods
Can we change AddMicrosoftGraph() to accept an array of scopes instead of scopes separated by space?

.AddMicrosoftGraph(defaultScopes: new string[] { "User.Read", "User.ReadBasic.All" })

Thanks @KalyanChanumolu-MSFT for the update
We can have a override to AddMicrosoftGraph to accept an array of scopes (even with a params)

@jennyf19 proposing to do something about this one.

Was this page helpful?
0 / 5 - 0 ratings