I have a console application that I use for authenticating the user and then calling a web API. I am using this Microsoft library for acquiring token, active-directory-dotnetcore-devicecodeflow-v2, I registered both of my console application and API in Azure AD and gave the permissions and role needed based on this doc : GitHub readme, so I have permissions like below in my console app registration in Azure.
Now when I add the new scope "http://{domain}/Migratory.API/api.access" in the list of scopes and call the "AcquireATokenFromCacheOrDeviceCodeFlowAsync" method , there are some conflicts :
If I call the method for the first time, it would call the "GetTokenForWebApiUsingDeviceCodeFlowAsync" and the result does not contain my scope, it contains only the "User.Read , User.ReadBasic.All, All profile openid email", but if I call the method again, this time it would call the "AcquireTokenSilent" method and this one only has the "http://{domain}/Migratory.API/api.access" in scopes .As a result it would generate two different tokens which I don't understand why.
Any idea how should I fix this or where I am doing wrong? thanks
The first token you get is used to call ms graph api, User.Read User.ReadBasic.All profile openid email these are the permissions of graph api, so the token is obviously Not for you. Your second token is what you need.
By the way, the permissions for these two different api resources cannot appear in one token at the same time, because one token can only call one api resource.
