I'm currently working on an outlook add-in using the MS Graph API. In this add-in, I'm using azuread-openidconnect passport plug-in to authenticate the users using the OIDC strategy on the Azure-AD V2 endpoint.
I'm running into the typical issue where my access token is expired, and I need to use my refresh token to get an up to date access token. From the docks (https://learn.microsoft.com/en-us/azure/active-directory/develop/active-directory-v2-protocols-oauth-code) I can easily check and refresh the token manually. However, I assume that this functionality has been baked into the passport plug-in. If so how do I go about checking and refreshing the token with the plug-in?
There's no method in passport-azure-ad for that. Passport's role is to authorize the initial access token, which can then be used to access APIs (including the refresh token API) at the provider.
So you may need to refresh these tokens by yourself, or by using a separate library like passport-oauth2-refresh.
Related
I am working on a PHP web app that needs to make HTTP requests to the Sharepoint API with Sites.Selected permission to a specific SharePoint site. It is NOT viable for me to provide a user sign-in experience so I need to treat it as a non-user/daemon application.
I've read the docs and looked at many different forums for the solution but as of yet I've been unsuccessfull in obtaining a SPO specific access token, although I think I'm close.
I am using this StackOverflow answer as a guide: https://stackoverflow.com/a/63386756/19038862
This is what I've done:
Registered an Azure App: (Image of my Azure App Overview)
Created a client secret in the App dashboard: (Image of the client secret page)
Successfully sent a request to https://login.microsoftonline.com/{{app_tenant_id}}/oauth2/v2.0/token using the client secret in Postman: (Image of Postman request)
The request made in step 3 returns an access token (I assume a MS Graph access token?), but it DOES NOT return a refresh token, which is what the afforementioned StackOverflow answer suggests you need to "swap" for an SPO specific access token.
How do I obtain this refresh token so that I can swap it for a SPO access token? Or what better way is there to get my hands on a SPO specific access token from a non-user app?
I wrote this gist to guide you into getting Sites.Selected access to the desired site:
https://gist.github.com/ruanswanepoel/14fd1c97972cabf9ca3d6c0d9c5fc542
This guide shows you how to configure this as Application permissions, and via the Graph API.
I've found going through the Graph API is the best way to go.
Also strangely it's not possible to get delegated Sites.Selected permissions. You must set it up as an Application permission.
In the guide is described that you have to get a delegated auth token from graph but you are getting an application auth token. The token response of this flow does not contain a refresh_token. See here.
But you already wrote that you are not able to provide a user sign-in experience. One workaround would be to once manually get the access_token and refresh_token of a user with the delegated flow and then periodically get a new access_token with the refresh_token on your server. You could store these values in your database and update them when you fetch a new one.
First, the daemon-based client credential flow does not return a refresh token for you. You also can't redeem the refresh token of the graph API for an access token for SPO, which are two completely different API resources.
To get an access token for SPO you just need to set scope to: https://{tenant-name}.sharepoint.com/.default.
I am working on one project with angular 7, we have already SSO but I need to use Microsoft Graphs. Right now I am trying with MSAL (#azure/msal-angular) but I can not find the way for make login with MSAL using only #username and #password.
MsalModule.forRoot({
clientID: "1231231-1212-4566-2345-fssfr34fsdf" })
Any idea.
You can't send the username/password in an API call to get an authentication token. Microsoft Graph doesn't support this.
If you are ok with authenticating without user context i.e. application only context, then the client_credential flow is probably your best bet. You authenticate with an app id and secret.
Get access without a user
I have clients connecting to my backend application giving me permissions, access token and refresh token but these refresh tokens have a limited lifetime if not used and from this, comes the need for the client to revalidate the permissions and tokens.
To avoid that, I'm trying to find ways to have an "until-revoke" refresh token for the OAuth under the Outlook API. I'm not being able to find much information about this. There is something related to Azure policies to change that but... I haven't found a way to do so and specialy related/connected to Outlook API.
Do I have a solution for this or do I need to setup some kind of cron to update the refresh token before expiring?
You're backend application should receive until-revoked refresh tokens if it is configured as a confidential client.
you can see how an application is configured as a confidential client in Azure AD in this article.
Hope it helps!
I have an iOS application that allows users to login with Facebook (via the Facebook Swift SDK). This returns the an access token for the user, which is specific to that app.
The user's facebook access token is passed to my NodeJS API where its authenticity needs to be checked. How can I do this? Basically, I need to check that Facebook has given the user this access token specifically for use with my app.
Once this is done, I will just use my API's standard JWT access and refresh tokens to authenticate future requests.
You can use the Debug Token endpoint within the facebook api, which provides if the token is still valid and which application the token is valid for.
I am developing a Chrome extension which needs to get an OAuth 2 access token for a Google service. But I am not sure whether to use the Authorization Code Grant flow or the Implicit Grant flow.
In the Implicit grant flow, I get the access token directly. However, since we don't get a refresh token here, we'll have to request for an access token again here if it expires. Will this ask the user to authenticate my App again (by showing him authentication UI) or will the user be oblivious to it?
My experience using chrome.identity API for authorization tokens is: the first time an authorization is needed (when the extension is first installed), the user is presented an authentication UI to confirm.
Whenever the token expires and a new token is necessary, calling chrome.identity.getAuthToken won't display the authentication UI but fetch a new token directly (no user interaction is needed if access was previously granted).