clarify v2 multiple scopes

R/token.R

@@ -20,7 +20,7 @@
 #'
 #' `get_managed_token` is a specialised function to acquire tokens for a _managed identity_. This is an Azure service, such as a VM or container, that has been assigned its own identity and can be granted access permissions like a regular user. The advantage of managed identities over the other authentication methods (see below) is that you don't have to store a secret password, which improves security. Note that `get_managed_token` can only be used from within the managed identity itself.
 #'
-#' The `resource` arg should be a single URL or GUID for AAD v1.0, and a vector of scopes for AAD v2.0. The latter consist of a URL or a GUID, along with a path that designates the scope. If a v2.0 scope doesn't have a path, `get_azure_token` will append the `/.default` path with a warning. A special scope is `offline_access`, which requests a refresh token from AAD along with the access token: without this scope, you will have to reauthenticate if you want to refresh the token.
+#' The `resource` arg should be a single URL or GUID for AAD v1.0. For AAD v2.0, it should be a vector of _scopes_, where each scope consists of a URL or GUID along with a path that designates the type of access requested. If a v2.0 scope doesn't have a path, `get_azure_token` will append the `/.default` path with a warning. A special scope is `offline_access`, which requests a refresh token from AAD along with the access token: without this scope, you will have to reauthenticate if you want to refresh the token.
 #'
 #' For B2C logins, the `aad_host` argument can be a full URL including the tenant and arbitrary path components, but excluding the specific endpoint.
 #'
@@ -114,6 +114,13 @@
 #' token2 <- get_azure_token(c("https://management.azure.com/.default", "offline_access"),
 #'     "mytenant", "app_id", version=2)
 #'
+#' # requesting multiple scopes (Microsoft Graph) with AAD 2.0
+#' tok <- get_azure_token(c("https://graph.microsoft.com/User.Read.All",
+#'                          "https://graph.microsoft.com/User.ReadWrite.All",
+#'                          "https://graph.microsoft.com/Directory.ReadWrite.All",
+#'                          "offline_access"),
+#'     "mytenant", "app_id", version=2)
+#'
 #'
 #' # list saved tokens
 #' list_azure_tokens()

man/get_azure_token.Rd

@@ -79,7 +79,7 @@ Use these functions to authenticate with Azure Active Directory (AAD).
 
 \code{get_managed_token} is a specialised function to acquire tokens for a \emph{managed identity}. This is an Azure service, such as a VM or container, that has been assigned its own identity and can be granted access permissions like a regular user. The advantage of managed identities over the other authentication methods (see below) is that you don't have to store a secret password, which improves security. Note that \code{get_managed_token} can only be used from within the managed identity itself.
 
-The \code{resource} arg should be a single URL or GUID for AAD v1.0, and a vector of scopes for AAD v2.0. The latter consist of a URL or a GUID, along with a path that designates the scope. If a v2.0 scope doesn't have a path, \code{get_azure_token} will append the \code{/.default} path with a warning. A special scope is \code{offline_access}, which requests a refresh token from AAD along with the access token: without this scope, you will have to reauthenticate if you want to refresh the token.
+The \code{resource} arg should be a single URL or GUID for AAD v1.0. For AAD v2.0, it should be a vector of \emph{scopes}, where each scope consists of a URL or GUID along with a path that designates the type of access requested. If a v2.0 scope doesn't have a path, \code{get_azure_token} will append the \code{/.default} path with a warning. A special scope is \code{offline_access}, which requests a refresh token from AAD along with the access token: without this scope, you will have to reauthenticate if you want to refresh the token.
 
 For B2C logins, the \code{aad_host} argument can be a full URL including the tenant and arbitrary path components, but excluding the specific endpoint.
 
@@ -174,6 +174,13 @@ token1 <- get_azure_token("https://management.azure.com/", "mytenant", "app_id")
 token2 <- get_azure_token(c("https://management.azure.com/.default", "offline_access"),
     "mytenant", "app_id", version=2)
 
+# requesting multiple scopes (Microsoft Graph) with AAD 2.0
+tok <- get_azure_token(c("https://graph.microsoft.com/User.Read.All",
+                         "https://graph.microsoft.com/User.ReadWrite.All",
+                         "https://graph.microsoft.com/Directory.ReadWrite.All",
+                         "offline_access"),
+    "mytenant", "app_id", version=2)
+
 
 # list saved tokens
 list_azure_tokens()

tests/testthat/test02_v2_token.R

@@ -123,6 +123,18 @@ test_that("Providing optional args works",
 })
 
 
+# should get a 'permissions requested' screen here
+test_that("Providing multiple scopes works",
+{
+    scopes <- c(paste0("https://graph.microsoft.com/",
+                     c("User.Read.All", "Directory.Read.All", "Directory.AccessAsUser.All")),
+                "offline_access")
+
+    aut_tok <- get_azure_token(scopes, tenant, native_app, auth_type="authorization_code", version=2)
+    expect_true(is_azure_token(aut_tok))
+})
+
+
 test_that("Dubious requests handled gracefully",
 {
     badres <- "resource"