I would like to be able to modulize my app in such a way that users do not need to grant consent for all resources during registration.
Let's say I have a Calendar + Contacts management app. The Calendar module needs read/write permissions to the users calendar and the Contact module needs read permission to the users Contact book. Let's say for the sake of simplicity that I want to access that data through the same API - Microsoft Graph.
Can I ask the user to consent to the Calender module, granting me read write access to his or her calendar, and at some later point ask consent for the users contact book, and only the contact book without breaking the consent given to the users calendar?
I would like to implement this using App Registrations in Azure, but if there is a way of achieving this without App Registrations, I would also like to know.
I have looked around and it seems to me that the only way of doing this is to have multiple different apps (in the OAuth tenant), with different permissions sets, and granting consent for each app separately.
Normally in OAuth, you use scopes and step-up authorization for that.
Your app should have permissions configured for both the Calendar and Contacts. Then, when running the authorization code flow you can use the scope
parameter to ask for a token that will only have access to the user's calendar. The user should see a consent screen where only the calendar access is listed.
Then, later on, when you need access to contacts, you will have to run a new authorization code flow, this time asking for a scope for contacts (or both the calendar and contacts if you want to use one token to call the different APIs). The user will now see a new consent screen where she will have to give your app access to her contacts. Not sure how it will work when you ask for both scopes here, whether Azure will show a consent screen with all the scopes or only the ones to which the user hasn't consented yet.