Did you manage to get anywhere with this out of interest, Adam?
I might be barking up the wrong tree here (torn between bumping this thread or this one: oAuth v2.0 - Connecting to the PartnerCenter !) so please shoot me if I’m looking in totally the wrong direction.
I’ve got users authenticating via AzureAD and so have a token in $AccessToken they can query Graph with, get their profile back or query AzureAD - all works wonderfully.
"OIDC": {
"Enabled": "true",
"CallbackPath": "/auth/signin-oidc",
"ClientID": [myappid],
"ClientSecret": [mysecret],
"Resource": "https://graph.microsoft.com",
"Authority": "https://login.microsoftonline.com/[mytenant]",
"ResponseType": "id_token token",
"SaveTokens": "true",
"Scope": "openid profile groups offline_access",
"UseTokenLifetime": "true",
"GetUserInfo": "false"
},
Now I need to work out how to get them a token for the Azure DevOps API (same authority, different scope) - I can do this from my console by running something like Get-MsalToken:
$connectionDetails = @{
'TenantId' = [mytenant]
'ClientId' = [myappid]
'Interactive' = $true
'Scopes' = @('499b84ac-1321-427f-aa17-267ca6975798/user_impersonation') # Azure DevOps Scope
}
$token = Get-MsalToken @connectionDetails
But that puts the user through Interactive Login so when I run it in PSU (running under App Service) it just quietly dies in the background, never producing the prompt.
Feels like there should be some way I can pass $IdToken somewhere to get a new access token without the user re-authenticating?
Any bright ideas gratefully accepted - been banging my head against this wall for a little while now… pretty sure it’d just my novice-level OAuth letting me down! 