I want to query user's groups. according to https://graph.microsoft.io/en-us/docs/platform/rest i do the following steps:
Get Code
https://login.microsoftonline.com/common/oauth2/authorize? response_type=id_token%20code& client_id=<MY_CLIENT_ID>& redirect_uri=http%3A%2F%2Flocalhost%3A3000%2Fauth%2Fopenid%2Freturn response_mode=query& nonce=F8GtCajiXYKcGBtw& scope=openid%20https%3A%2F%2Fgraph.microsoft.com%2FGroup.Read.All%20Group.Read.All& resource=https%3A%2F%2Fgraph.microsoft.com%2F& state=HTlUWuV5su%2BG4zBE#
Note: 3 scopes are provided (openid, Group.Read.All , https://graph.microsoft.com/Group.Read.All)
and then i login in, AAD response to my web site:
http://localhost:3000/auth/openid/return?
code=<Recieved_Code>&
id_token=<Recieved_id_Token>&
state=xxxx&
session_state=yyy
- Get access_token
POST https://login.microsoftonline.com/common/oauth2/token
Content-Type: application/x-www-form-urlencoded
{
grant_type=authorization_code
&code=Recieved_Code_from_step_1
&redirect_uri=http%3A%2F%2Flocalhost%3A3000%2Fauth%2Fopenid%2Freturn
&resource=https%3A%2F%2Fgraph.microsoft.com%2F
&client\_id=
&client\_secret=
}
and this returns JSON
{
"token_type":"Bearer",
"scope":"User.Read",
"resource":"https://graph.microsoft.com/",
"access_token":<Access_token_in_here>,
... other fields
}
Note: Only User.Read scope is returned
I use access_token from step 2) to do query
- Query User is ok: https://graph.microsoft.com/v1.0/me/
- Query Group is forbidden: https://graph.microsoft.com/v1.0/me/memberOf and get error 'Insufficient privileges to complete the operation.'
So why I request permission for 3 scopes but only get permission for only one scope ?
