Obtaining access tokens for multiple resources with Azure Entra

[TeckTn]

I have a question regarding Azure Entra (formerly Azure AD) and its handling of access tokens for multiple resources. As far as I understand, Azure Entra does not allow fetching a single access token that includes scopes for multiple resources.

For example, let's say I want to access two different APIs:

1. A custom API that requires the scope API://xxxxxxxxxxxxx/Read.All.
2. Microsoft Graph API, which requires the scope Mail.Send.

To obtain access tokens for these two resources, it seems necessary to make two separate authentication calls — one for each resource.

Here are my questions:

1. Does this library support a scenario where I can get a second access token silently, without requiring the user to re-authenticate, by simply changing the requested scope?
2. If this is supported, could you provide an example or a recommended approach to achieve this?

The goal is to ensure a smooth user experience where I can fetch additional tokens for different resources without redundant user prompts.

[guillaume-chervet]

hi @TeckTn yes, the library was built to apply this kind of scenario.

Login first and after login by relogin another oidc-client configuration but differents scope.

The demo is doing it => login in from the first page then navigate to MultiTab page and use silentlogin =>
https://black-rock-0dc6b0d03.1.azurestaticapps.net/

silent login will work soon only with the same domain than the oidc server because of third party cookies (that will be blocked).