Different scopes for multiple APIs

According to the official API documentation (Authentication API Explorer), we should be able to authorise with a set of scopes, and then use the returned refresh token to retrieve an access token with a sub-set of those scopes.

Unfortunately my experimentation with the library suggests it does not support this use-case (when using the refreshTokens option, anyway). If I pass a set of scopes in when I create the client, then supply a restricted set of scopes in the call to getAccessTokenSilently, the token returned is the same for all sub-sets of scopes.

I suspect the client scopes are acting as global scopes, which is not what I want, given the principal of lowest required privilege.

If I avoid using the refreshToken option, and don’t provide the scopes to the client, then things work as expected in browsers that support third party cookies. Unfortunately this is not really an option for us, as we need to support most major browsers, and would prefer to stay away from the custom domain workaround, if possible.

Is there any way I can use this library to retrieve a different set of scopes for different APIs that my web app needs to call, or do I need to roll my own implementation?


Hi @erlend.powell , welcome to the community!

I’m afraid that currently the SPA SDK does not support passing scopes with getAccessTokenSilently when refresh tokens are used - but I know this is a feature that has been requested in the past and so it may be considered for future releases.

I would recommend raising this as a feature request at our product feedback portal to help increase its priority with our Product team:

1 Like