Microsoft Graph - client credentials support

joshbooker · October 12, 2017, 4:45pm

Is there a way to implement app permissions using the client_credentials flow? So the app can connect to Graph without a user logged in?
ie: https://developer.microsoft.com/en-us/graph/docs/concepts/auth_v2_service

Does this use adal-node? https://www.npmjs.com/package/adal-node

korchev · October 12, 2017, 6:41pm

The current implementation uses the OAuth implicit grant which indeed relies on a user to log-in. Implementing application level login needs a server-side proxy which should authenticate against Azure. While technically possible it would need additional configuration such as specifying which Graph API's to proxy.

Does this use adal-node? https://www.npmjs.com/package/adal-node

Do you mean Radzen's implementation? If yes - no, the Azure AD login sequence is implemented at the client-side via Angular service that Radzen generates.

joshbooker · October 12, 2017, 6:57pm

Thanks for your reply.

While technically possible it would need additional configuration such as specifying which Graph API’s to proxy

Not sure if that's so. I think you just need to get the id_token using server-side to avoid CORS. But with the token, the graph calls should be all the same from the client, no?

korchev · October 12, 2017, 8:28pm

Oh I see what you mean - you want to access the Graph API under the same account always.

I am logging this as a feature request and we will consider it for a future release depending on interest.

joshbooker · October 12, 2017, 9:37pm

Oh I see what you mean - you want to access the Graph API under the same account always.

Sort of. I don't want to authorize with delegated user permissions, rather I want to access under the app permissions specified in app registration using the 'client consent' flow.

I would think you could simply add a checkbox for Client Consent grant type and then options to specify tenant and client secret. Then POST to the \token endpoint to get the id_token. Like so:

POST /{tenant}/oauth2/v2.0/token HTTP/1.1
Host: login.microsoftonline.com
Content-Type: application/x-www-form-urlencoded

client_id=535fb089-9ff3-47b6-9bfb-4f1264799865
&scope=https%3A%2F%2Fgraph.microsoft.com%2F.default
&client_secret=qWgdYAmab0YSkuL1qKv5bPX
&grant_type=client_credentials

Now use the id_token from the response.

PS...The Graph How To article has a typo. Auth URL should be login.microsoft.com.... rather than login.microsoftonline.com

enchev · October 15, 2017, 1:59pm

Hi @joshbooker,

According to MS documentation the URL is correct:
https://developer.microsoft.com/en-us/graph/docs/concepts/auth_overview

Best Regards,
Vladimir

joshbooker · October 16, 2017, 5:04pm

@enchev you are correct, my bad, sorry and thanks for your reply.