-
Notifications
You must be signed in to change notification settings - Fork 95
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
MS OAuth - making "/me" API call configurable #93
base: main
Are you sure you want to change the base?
Conversation
Sorry for the late review, happy to fix the conflicts? I would also like another review from @amandesai01 |
If you request a access_token with a custom scope from Entra ID, it is not possible to query the user info endpoint independent of the scope you provide, as the classic /me endpoint is part of the graph api and you don't have a graph api token anymore. |
Reason for change
When working with Microsoft oauth, you can either pass in MSGraph scopes like: "User.Read" or you can pass in scopes that are needed for your own resources like: "api://resources/Api.Write". However, you cannot pass in both scopes as requesting a singular token for multiple audiences is not possible (noted here and many other places). If you only pass in the scope for your custom resource, you then you get a 401 trying to call the "/me" endpoint (because the user.read scope is missing).
Changes
Other considerations
Testing
Within my personal project, I used the module locally and tested with both true/false flags on the useUser configuration key. Everything functioned as I expected it to.