查看訪問令牌中的2個不同API的組合範圍

Question

我們有一個AAD應用程序，直到最近才需要MS Graph API權限。現在它需要MS Graph API和AAD API權限。該應用程序具有確定用戶何時需要重新同意的過程。在添加AAD API權限之前，重新同意過程將通過解析MS Graph API訪問令牌來確定是否需要重新同意以獲取其範圍。然後，它會將這些範圍與應用程序中包含的靜態列表進行比較。如果任何所需的權限不屬於訪問令牌範圍的一部分，則用戶被重定向到同意頁面以重新同意。通過添加AAD API權限，應用程序請求和AAD API訪問令牌使用適當的AAD資源。但是，似乎兩個API相關的作用域都包含在MS Graph訪問令牌和AAD訪問令牌中。

代碼以獲得訪問令牌：

Notifications = new OpenIdConnectAuthenticationNotifications() 
{ 
    AuthorizationCodeReceived = async (context) => 
    { 
     var code = context.Code; 

     // retriever caller data from the incoming principal 
     string claimClientId = Claim.Value(context.AuthenticationTicket.Identity.Claims, Claim.Type.ClientId); 

     string upn = Claim.Value(context.AuthenticationTicket.Identity.Claims, ClaimTypes.Name); 
     string officeTenantId = Claim.Value(context.AuthenticationTicket.Identity.Claims, Claim.Type.OfficeTenantId, upn); 

     //Obtain MS Graph API Access Token 
     Credential = new ClientCredential(ClientId, AppKey); 
     var signedInUserId = Claim.Value(context.AuthenticationTicket.Identity.Claims, ClaimTypes.NameIdentifier); 
     AuthenticationContext authContext = new AuthenticationContext($"{LoginEndpoint}/{officeTenantId}", new RedisTokenCache(signedInUserId)); 
     AuthenticationResult result = await authContext.AcquireTokenByAuthorizationCodeAsync(code, new Uri(HttpContext.Current.Request.Url.GetLeftPart(UriPartial.Path)), Credential, GraphResourceId); 
     //Obtain AAD Graph API Access Token 
     AuthenticationResult aadResult = await authContext.AcquireTokenByAuthorizationCodeAsync(code, new Uri(HttpContext.Current.Request.Url.GetLeftPart(UriPartial.Path)), Credential, AadGraphResourceId); 
… 

斯科普斯我找回：

• 資源= graph.windows.net，範圍= Directory.AccessAsUser.All Directory.ReadWrite。 All Files.ReadWrite.All，Group.ReadWrite.All，profile，User.Read
• Resource = graph.microsoft.com，Scopes = Directory.AccessAsUser.All，Directory.ReadWrite.All，Files.ReadWrite.All，Group .ReadWrite.All，個人資料，User.Read

斯科普斯我期待：

• 資源= graph.windows.net，範圍= Directory.AccessAsUser.All，User.Read
• 資源= graph.microsoft.com，範圍=目錄.ReadWrite.All，Files.ReadWrite.All，Group.ReadWrite.All，型材，User.Read

基於我所看到的，它看起來像這兩個資源獲取與所有API的用戶相關聯的範圍同意。這是預期的行爲？如何爲每個資源獲取單獨的範圍列表？

下面是從MS圖形瀏覽器，AAD圖形瀏覽器和解碼器JWT一些輸出：

//Service Principal for my test app 
{ 
    "odata.metadata": "https://graph.windows.net/myorganization/$metadata#directoryObjects/Microsoft.DirectoryServices.ServicePrincipal/@Element", 
    "odata.type": "Microsoft.DirectoryServices.ServicePrincipal", 
    "objectType": "ServicePrincipal", 
    "objectId": "2f9f4cf5-7576-42c9-8f9d-c1c3e6e63b4d", 
    "appDisplayName": "My Test App", 
} 

//Service Principal for MS Graph API 
{ 
    "odata.metadata": "https://graph.windows.net/myorganization/$metadata#directoryObjects/Microsoft.DirectoryServices.ServicePrincipal/@Element", 
    "odata.type": "Microsoft.DirectoryServices.ServicePrincipal", 
    "objectType": "ServicePrincipal", 
    "objectId": "4036b7c7-c9b0-447f-a5d8-18794d0d2a23", 
    "appDisplayName": "Microsoft Graph", 
    "appId": "00000003-0000-0000-c000-000000000000", 
} 

//Service Principal for AAD API 
{ 
    "odata.metadata": "https://graph.windows.net/myorganization/$metadata#directoryObjects/Microsoft.DirectoryServices.ServicePrincipal/@Element", 
    "odata.type": "Microsoft.DirectoryServices.ServicePrincipal", 
    "objectType": "ServicePrincipal", 
    "objectId": "aeb2d60b-0681-40f5-abe9-e0e66e793f3e", 
    "appDisplayName": "Windows Azure Active Directory", 
    "appId": "00000002-0000-0000-c000-000000000000", 
} 

//oAuth2PermissionGrants for user 
{ 
    "@odata.context": "https://graph.microsoft.com/beta/$metadata#oauth2PermissionGrants", 
    "value": [ 
     { 
      "clientId": "2f9f4cf5-7576-42c9-8f9d-c1c3e6e63b4d", 
      "consentType": "Principal", 
      "expiryTime": "2018-03-30T21:31:15.7114922Z", 
      "id": "9UyfL3Z1yUKPncHD5uY7TQvWsq6BBvVAq-ng5m55Pz6rJZQ8BUBCT5nGOphIZSeR", 
      "principalId": "3c9425ab-4005-4f42-99c6-3a9848652791", 
      "resourceId": "aeb2d60b-0681-40f5-abe9-e0e66e793f3e", 
      "scope": "User.Read Directory.AccessAsUser.All", 
      "startTime": "0001-01-01T00:00:00Z" 
     }, 
     { 
      "clientId": "2f9f4cf5-7576-42c9-8f9d-c1c3e6e63b4d", 
      "consentType": "Principal", 
      "expiryTime": "2018-03-30T21:31:15.7114922Z", 
      "id": "9UyfL3Z1yUKPncHD5uY7Tce3NkCwyX9EpdgYeU0NKiOrJZQ8BUBCT5nGOphIZSeR", 
      "principalId": "3c9425ab-4005-4f42-99c6-3a9848652791", 
      "resourceId": "4036b7c7-c9b0-447f-a5d8-18794d0d2a23", 
      "scope": "profile Files.ReadWrite.All Directory.ReadWrite.All Group.ReadWrite.All User.Read", 
      "startTime": "0001-01-01T00:00:00Z" 
     } 
    ] 
} 

//Access tokens granted to user after sign-in 
{ 
    "aud": "https://graph.windows.net", 
    "scp": "Directory.AccessAsUser.All Directory.ReadWrite.All Files.ReadWrite.All Group.ReadWrite.All profile User.Read", 
} 
{ 
    "aud": "https://graph.microsoft.com", 
    "scp": "Directory.AccessAsUser.All Directory.ReadWrite.All Files.ReadWrite.All Group.ReadWrite.All profile User.Read", 
} 

Answer 1

當你請求，你會想用資源標識符的前綴範圍的範圍。

對於Azure AD Graph API，這是https://graph.windows.net/，對於Microsoft Graph API，它是https://graph.microsoft.com/。您完整範圍的要求應該是這個樣子

&scope=https%3A%2F%2Fgraph.windows.net%2FDirectory.AccessAsUser.All+https%3A%2F%2Fgraph.windows.net%2FUser.Read+https%3A%2F%2Fgraph.microsoft.com%2FDirectory.ReadWrite.All+https%3A%2F%2Fgraph.microsoft.com%2FFiles.ReadWrite.All+https%3A%2F%2Fgraph.microsoft.com%2FGroup.ReadWrite.All+https%3A%2F%2Fgraph.microsoft.com%2Fprofile+https%3A%2F%2Fgraph.microsoft.com%2FUser.Read