auth.js Entra ID - different resource identifiers
Answered
Yacare Caiman posted this in #help-forum
Yacare CaimanOP
Hey, I have an application where I want resources from https://graph.microsoft.com/ and also https://management.azure.com/. The thing is that the second resource identifier requires user to sign in with MFA. So if the user signs in without MFA, for the first resource identifier (Microsoft Graph), then the refresh token cannot be used to get an access token into ARM. How would you deal with this sign in flow? Ideally, I'd set something in the auth provider properties so that the log in would require MFA every time and then the request to get the access token wouldn't fail. Unfortunately I wasn't able to find any such configuration.
Answered by Yacare Caiman
Okay, I think I got it. The resource identifier with the requested scope should be also in the initial request.
const MICROSOFT_ARM_TOKEN_SCOPE =
'https://management.azure.com/user_impersonation';
providers: [
MicrosoftEntraID({
clientId: process.env.AUTH_MICROSOFT_ENTRA_ID_ID,
clientSecret: process.env.AUTH_MICROSOFT_ENTRA_ID_SECRET,
issuer: AUTH_MICROSOFT_ENTRA_ISSUER,
authorization: {
params: {
scope:
'openid offline_access profile email ' + MICROSOFT_ARM_TOKEN_SCOPE,
access_type: 'offline'
}
}
})
]
1 Reply
Yacare CaimanOP
Okay, I think I got it. The resource identifier with the requested scope should be also in the initial request.
const MICROSOFT_ARM_TOKEN_SCOPE =
'https://management.azure.com/user_impersonation';
providers: [
MicrosoftEntraID({
clientId: process.env.AUTH_MICROSOFT_ENTRA_ID_ID,
clientSecret: process.env.AUTH_MICROSOFT_ENTRA_ID_SECRET,
issuer: AUTH_MICROSOFT_ENTRA_ISSUER,
authorization: {
params: {
scope:
'openid offline_access profile email ' + MICROSOFT_ARM_TOKEN_SCOPE,
access_type: 'offline'
}
}
})
]
Answer