IdentityServer3 Microsoft Graph scopes and flow

219 views Asked by At

My solution has been working fine authenticating against Azure AD via IdentityServer3. Now we're trying to integrate some Microsoft Graph features. Sadly, it's failing miserably.

Running through one of the demo (https://graph.microsoft.io/en-us/docs/get-started/aspnetmvc) projects, the documentation details the registration of a new application at the Microsoft App Registration Portal (https://apps.dev.microsoft.com) and explicitly tell the application to allow implicit flow.

Make sure the Allow Implicit Flow check box is selected, and enter http://localhost:55065/ as the Redirect URI. The Allow Implicit Flow option enables the OpenID Connect hybrid flow. During authentication, this enables the app to receive both sign-in info (the id_token) and artifacts (in this case, an authorization code) that the app uses to obtain an access token.

Of course, we already have an application registered on our production portal of Azure that does our Authentication, and from our Client in IdentityServer3, we have the flows set as Flow = Flows.Implicit which would seem to indicate that we're now only allowing implicit flow, but expecting implicit flow.

When I add in the additional scopes - offline_access User.Read Mail.Send - I'm no longer able to successfully authenticate, instead, I'm receiving an error stating Invalid Scope.

My concern is that the "Microsoft App Registration Portal" is just different enough from real life, that something is not being set properly. There's no specific "Allow Implicit Flow" setting on production Azure App Registration, so is it really accepting Implicit Flow?

Has anyone had any luck integrating these two systems and receiving the desired results of full utilization of Microsoft Graph from a single authentication against Azure AD utilizing IdentityServer3?

1

There are 1 answers

0
Ryan Pangrle On

Enabling the implicit grant flow in the Azure AD Registration portal requires adding "oauth2AllowImplicitFlow":true in your app manifest. The "Enabling OAuth 2.0 implicit grant for Single Page Applications" section of this document has detailed step-by-step directions on how to do that:

https://learn.microsoft.com/en-us/azure/active-directory/active-directory-integrating-applications

Additionally implicit grant flows will not give you a refresh token, the offline_access scope is specifically asking for a refresh token. I would suggest removing that scope.

Here's a good doc for more reading on the details of implicit grant on AAD:

https://learn.microsoft.com/en-us/azure/active-directory/active-directory-dev-understanding-oauth2-implicit-grant