question

BargaAllen-8369 avatar image
0 Votes"
BargaAllen-8369 asked BargaAllen-8369 commented

Grpah API bearer token for signed in user

I am writing some automation for signed in users where I'd like to auto insert Outlook tasks into their task list. If I go to graph explorer and click on the "access token" tab, I get an access token for the logged in user. I can then put that token into a variable and my script works just fine to insert outlook tasks when I post to "https://graph.microsoft.com/v1.0/me/todo/lists/{taskListId}/tasks".

I'll fully admit I'm new to Graph but it seems fairly easy to work with it's API's once you have the bearer token. So my question comes down to: how do I get that token for the logged in user via an API call? I've done quite a bit of research and anything I see points to needing a registered application with the appropriate permissions to see the entire organizations info. That is not what I want. I want to only interface with the logged in user (/me). It appears Graph Explorer has a way to get a bearer token through the web UI. Is there not a way to get this token via an API call? The closest I've come to is https://docs.microsoft.com/en-us/graph/auth-v2-user but that seems to be for for a registered app to act on behalf of a user. Am I just completely missing something?

Thank you for the help!

microsoft-graph-calendar
· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hello

Sorry to interrupt but I was wondering if you ever were able to make the authorization flow work. I'm currently stuck with retrieving the code to request a new token and was hoping to find an answer here.

Thanks

0 Votes 0 ·

Unfortunately I did not.

0 Votes 0 ·

1 Answer

Danstan-MSFT avatar image
0 Votes"
Danstan-MSFT answered BargaAllen-8369 commented

Have you logged in to Graph Explorer? FYI Graph Explorer is also a registered application that will request the permission to access your data or act on your behalf. Before you login, you will just be using a demo bearer token.

That said, for you to get an access token to act on behalf of a user, you need their consent to do that and you need to register and App with Azure AD to help you request for the permissions related to whatever you want to do on behalf of the user and then get an access token when they grant the permission.

As long as a the data you need to access or action you need to perform is protected using Azure AD, you will need to register and app to access those. I suggest you read Application model to understand more. I also suggest that you read Permissions and consent in the Microsoft identity platform to understand what type of permissions your app will need to avoid copy pasting tokens because its bad practice. This will tell you if you need a signed in user or not.


· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Thank you for the response @Danstan. I did log into Graph Explorer, and the first time I did so, I was directed to a consent form. I've also been able to see, thanks jwt.ms, what App ID in my organization is requesting delegated permissions. So if I understand the Oauth 2 flow correctly here (after the initial consent):

 - I get directed to https://login.microsoftonline.com/common/oauth2/v2.0/authorize? with several different options (scope, response type, client id/app id, etc)
 - That authorize portion then redirects me to the URI that matches what is configured in the AAD App and a code parameter is passed through.
 - The code parameter can then be used to get the bearer token which is what is needed to authorize to the Graph API


0 Votes 0 ·

Assuming that flow is correct, I'm struggling with a few things:

  • After the interactive consent is completed the first time, how do I make this automated preferably through PowerShell? I've tried to create the URI to the /authorize endpoint and do an invoke-webrequest to capture the redirection so I can then get the "code" portion of the redirected URI, but that didn't work

  • Is it possible to interact with the /me portion of the Graph API without having the Secret Key of the App?

Graph is allowing me to get my Access Token without having the App's secret key, so I would think the above is possible especially since I'm not asking for other users info, just the logged in user.

Either way, I'll continue reading and I'll also fully read over the links you posted.



0 Votes 0 ·