I have an application which already use azure AD for authentication.
And now, we need to integrate MS onedrive in it.
Now, for doing so, we don't want the user to go through login again.
Is it possible that the Oauth token generated in application login can be used for graph APIs. Or any other way to skip that MS login for onedrive?
I've seen the question. But my problem is bit different that I'm already using Azure AD for authentication.
Thanks in advance.
When the user logs in, you can acquire multiple access tokens.
You will need to acquire a token for MS Graph API.
You can use the same authorization code twice to get two access tokens, or you can use the refresh token gotten with the first one to get another access token.
Related
I am using msgraph-training-reactspa sdk from Microsoft which uses MSAL for authentication. It does not return any refresh token. It has acquireTokenSilent method which gets new access token.
As per our requirement I want to get user access token along with refresh token so that I can later get new access token with refresh token and use microsoft graph api in CRON to update data.
How can we login user to microsoft via react app and get the refresh token so that I can save it in my DB?
Can I get any sample reference?
To get the refresh token (which is probably useless in your scenario anyway), you need to ask for the offline_access scope in your app manifest (or in the auth request), user has to agree to that, and then the refresh token is included by the azure ad.
But what you really want is probably sol-called "app-permissions" to be able to do stuff without the user present at all using CRON or whatever (and not a refresh token). I.e. for delegated permissions, you need a user under whose account the thing will be executed anyway (and even the refresh token will expire, and then you'll have to ask for login). The sample you are referring to is using delegated permissions. Check out the difference here: Azure AD App Application Permissions vs Delegated Permissions
I would like to communicate with the Active Directory B2C from my backend to manage users. This seems possible here:
https://learn.microsoft.com/en-us/graph/api/resources/user?view=graph-rest-1.0
However, I don't see how to get a login token (or cookies) for a user so the server can send it back to the front-end to have it logged-in. How is it possible to implement this scenario?
I have seen this link but it refer to OAuth.
https://learn.microsoft.com/en-us/azure/active-directory-b2c/add-ropc-policy?tabs=app-reg-ga&pivots=b2c-custom-policy
Thanks!
Azure B2C auth flow cannot generate an access token for Microsoft Graph.
You need to implement AAD auth flow by following Get access without a user or Get access on behalf of a user.
I have a single page web app which needs to talk to disparate services. To talk to each of these services, it requires a separate Oauth token. To acquire these tokens, I will be forced to ask the user to login separately for cross-domain calls. How to prevent this so that user logs in just once?
Edit 1: Added clarification
No, you will not need to have the user signin again for every token. Once the user signs in on first request, the token issuer will create a session cookie and use that establish user's identity in subsequent requests. If you are using Azure AD use msal.js library to simplify your coding. AFAIK, it uses a zero-size frame for all token requests after the first one.
I have an API locked down by Azure B2C. Everything is configured correctly for my client app that consume this API. My question relates to the integration tests that accompany the API. While it's pretty obvious that authentication triggers a UI to sign in, how would one go about requesting a token for tests cases that require authentication without popping a UI up?
Right now I have to have a utility that allows me to grab an access token (by popping up a UI) and then using that in my test project. Ultimately it expires so all the tests fail. This makes sense but I'm wondering if anyone has come up with a way to automate the process of acquiring tokens using this library so that the test cases can acquire them without popping up a UI. Screen scraper?
It looks like you want the Resource Owner Password Grant Flow. B2C does not officially support this, but Azure Active Directory does.
Read these:
Can I use "Resource Owner Password Grant" flow with Azure AD B2C
https://blogs.msdn.microsoft.com/wushuai/2016/09/25/resource-owner-password-credentials-grant-in-azure-ad-oauth/
Note that in the scenarios where B2C is simply acting like AAD (local accounts), you can use this flow. But for other social identity providers like Facebook and Google, you cannot use this flow.
I like your original method which is to generate an access token outside the app, and paste it in. I recommend adding to that the Refresh Token you got, and code to acquire a new token using an existing refresh token. Something like this.
Let me know if this helps.
I have a web applications and I wanted to allow users to pick file from oneDrive and submit those files. So my question is that, is there a way for me to allow for users who use my site to do this without asking them to log in for oneDrive ?.
I have a similar experience in googledrive and in there, we can do this through service account by authentication each users from the backend silently each time.
Further more, I have sign up for office 365 for business and link it to Azure and in there add few user to it via Active Directory.
Thanks in advance
One way is to use a designated account to create refresh token that has 'offline access' to the OneDrive. The offline access refresh token has a very long (or indefinite) expiry. Use OAuth 2.0 to create the refresh token.
Every time a user needs to browse the OneDrive, use the refresh token to request a short-term access token (again, this is OAuth 2.0). You can use that access token to access the OneDrive.
Unfortunately, my finding is that offline tokens have full read/write access - read only access doesn't seem possible.