Using FusionAuth to manage access tokens for multiple Microsoft accounts
-
Hi,
Would like to use FusionAuth's identity linking to manage multiple Microsoft accounts. Here's the scenario.
A user with email test@example.com is going to authenticate with an Azure AD directory, call it account A. Then they are going to configure 2 or more other Azure accounts that they are going to manage. To manage these accounts, they need to sign in and get an access token, which will then be presented by another system to the Azure accounts to do the management operations.
Can we use FusionAuth to do this? I see there is a token in the identity link docs, but don't see a way to set it.
-
There are a couple of things going on here.
First, for account A, I'd recommend setting up a OIDC identity provider for Azure AD. Doc here.
Then, there is the linking to a different account (account B, C and D). You'll want to set up identity providers for these as well.
After you do that, start the authorization process. You aren't going to want to use the hosted pages because this isn't really a login, so you'll want to build the authorize URL with the correct client id and scopes. Send the user off to that when they click 'authorize account B'. This is the 3rd party authorization mode.
Make sure you request the
offline_access
scope, because FusionAuth only stores refresh tokens on the OIDC identity provider link.The user will authenticated at Account B and choose to allow the scopes you ask for.
Then, when you get the authorization code (in your controller), don't call the token endpoint. Let FusionAuth do that with the 'Complete' call.
This creates the FusionAuth identity provider link, which will store the refresh token.
Awesome. Now 5 days passes and your user wants to manage account B.
Retrieve the refresh token using the Links API, and present the refresh token to account B for an access token. (This refresh grant is not handled by FusionAuth, but you can review how you'd do it here. Make sure you are performing this grant against the account B IDP, not FusionAuth.) The access token is then presented to the resource servers that require it.
You can repeat the authorization process for account C, D, etc.
One final wrinkle. If the user shares the same email address across the accounts, you are good to go. But if they have different email addresses, make sure to set the Linking Strategy to Pending. After you complete the login, you'll get a
pendingIdPLinkId
. This can be used to link the user who logged into account A with the user who authorized account B, C, D, etc.A user account with email of 'foo@example.com' in account A could be linked to a user account with a userid of 1238792389 in account B and a userid of
7ce003a2-10f1-4545-bb25-6cfe2fc7d0e4
in account C. -