I am using msgraph-training-reactspa sdk from Microsoft which uses MSAL for authentication. It does not return any refresh token. It has acquireTokenSilent method which gets new access token.
As per our requirement I want to get user access token along with refresh token so that I can later get new access token with refresh token and use microsoft graph api in CRON to update data.
How can we login user to microsoft via react app and get the refresh token so that I can save it in my DB?
Can I get any sample reference?
To get the refresh token (which is probably useless in your scenario anyway), you need to ask for the offline_access scope in your app manifest (or in the auth request), user has to agree to that, and then the refresh token is included by the azure ad.
But what you really want is probably sol-called "app-permissions" to be able to do stuff without the user present at all using CRON or whatever (and not a refresh token). I.e. for delegated permissions, you need a user under whose account the thing will be executed anyway (and even the refresh token will expire, and then you'll have to ask for login). The sample you are referring to is using delegated permissions. Check out the difference here: Azure AD App Application Permissions vs Delegated Permissions
Related
I am currently using passport-azure-ad and #azure/msal-node nodejs library to authenticate users for my APIs. When the user successfully authenticates via his/her microsoft account we receive an access_token, the user can call our APIs with that access_token.
Now if we disable the user's account from the Azure admin panel, the user's already existing access_token should be invalidated and he/she should not be able to call our APIs with that access_token.
How can we do this please?
Basically, you can't.
I believe that the spec. doesn't allow access tokens to be revoked.
You can, however, revoke refresh tokens.
When the access token expires, the refresh token won't be honoured and the user will be logged out.
Going forward, continuous access evaluation will be of use but it hasn't been implemented in many apps. to date.
I'm currently developing an application which consists of a frontend SPA which makes request to a Node backend. The Node backend makes requests to MS Graph. For this usecase I set up the OBO flow which works fine.
The SPA uses MSAL.js to request a token for middle tier API with /.default scope. The middle tier API knows the client as 'knownclient' in its Manifest. On very first login the application wants the user to consent to the combined scopes from client and middle tier. (If the user never used the app before)
The problem now is the following: By going further in the development process, new scopes are added for MS Graph in the middle tier API. However the client doesn't show the consent prompt to the user for giving his consent to use the new backend scope although using the /.default scope in the client.
The first approach I had was settings prompt='consent' to the MSAL setting in the frontend. This approach works but results in asking the user for consent every time he logs in.
The intended behaviour would be to just ask for consent if the middle tier API changes its scopes.
How do I have to set up my applications to get this result?
As I said in the comments, if you just add new permissions, don't use prompt='consent', because this will cause the administrator consent page to be triggered every time you log in as a user.
When you add a new permission, you only need to grant the administrator's consent, and there is no need to request the user's consent again. So, you only need to grant the administrator consent in the Azure portal. Or, use the url that the administrator consent to: https://login.microsoftonline.com/{tenant-id}/adminconsent?client_id={client-id}.
I have an application that authenticates from ADFS 2016 using openidConnect.
Once I get token form ADFS I create local cookie session in my application.
Problem
When permission for user changes on ADFS server or user is disabled, how my application can trigger logout for user. ADFS provides any endpoint or api to check that?
Access token you get from AD FS has a certain lifetime (configurable on AD FS side). The default value is one hour. You can read more about AD FS token lifetime here.
With AD FS you do not have any "built into the protocol" way to logout the user from your application exactly at the time when you disable it in AD, but you can set expiration time for the cookies in your application, so when the cookies expire, the application will go and try to get a new access token or refresh an existing token depending on your needs and arhitecture.
Option #1: Get new access token
If the user was disabled he will not be able to get a new access token and will not be able to login into your application. If the the user was still active by the time when a local cookie in your application expired, the AD FS login process will be seamless for him. I.e. he will not even see the AD FS login page and will be redirected back to your application with a new access token right away.
Option #2: Refresh existing access token
This option is only available when you persist AD FS access tokens in your application. You can use a certain endpoint at AD FS server to try to refresh that access token. If a used was disable he will not be able to refresh the token and you can perform a logout. You can read more about how to refresh the access token and some other scenarios with AD FS here.
I have an application which already use azure AD for authentication.
And now, we need to integrate MS onedrive in it.
Now, for doing so, we don't want the user to go through login again.
Is it possible that the Oauth token generated in application login can be used for graph APIs. Or any other way to skip that MS login for onedrive?
I've seen the question. But my problem is bit different that I'm already using Azure AD for authentication.
Thanks in advance.
When the user logs in, you can acquire multiple access tokens.
You will need to acquire a token for MS Graph API.
You can use the same authorization code twice to get two access tokens, or you can use the refresh token gotten with the first one to get another access token.
I have a web applications and I wanted to allow users to pick file from oneDrive and submit those files. So my question is that, is there a way for me to allow for users who use my site to do this without asking them to log in for oneDrive ?.
I have a similar experience in googledrive and in there, we can do this through service account by authentication each users from the backend silently each time.
Further more, I have sign up for office 365 for business and link it to Azure and in there add few user to it via Active Directory.
Thanks in advance
One way is to use a designated account to create refresh token that has 'offline access' to the OneDrive. The offline access refresh token has a very long (or indefinite) expiry. Use OAuth 2.0 to create the refresh token.
Every time a user needs to browse the OneDrive, use the refresh token to request a short-term access token (again, this is OAuth 2.0). You can use that access token to access the OneDrive.
Unfortunately, my finding is that offline tokens have full read/write access - read only access doesn't seem possible.