Office365 accesstoken: Difference between revisions

Office365 accesstoken

Revision as of 05:53, 4 July 2023

Background: https://learn.microsoft.com/en-us/graph/auth-v2-user

Office365 contains the GraphAPI used to access SharePoint documents, calendars, emails, etc.

What you need to do on the Azure side of this (also called the tennant by Microsoft) is to do an App_Registration, do this at: https://Portal.Azure.com.

From here you will need:

Client id, a guid string - put this in SysSingleton.Office365ClientId
tennant id, a guid string - put this in SysSingleton.Office365TennantId
Client secret, SysSingleton.Office365ClientSecret

You must also set up the redirect endpoints that shall be allowed for this solution (where Azure will go and is allowed to go in our app once it has done the authentication of the user).

On Azure, give the EXACT SAME (case sensitive) as you put in SysSingleton.Office365Redirect. - this value MUST point to <your systems url>/Account/AzureAdAuthorize

The Account/AzureAdAuthorize is a new controller action that assumes you have the above office365 values in SysSingleton. It sends a post request to "https://login.microsoftonline.com/" + tennantid + "/oauth2/v2.0/token" and gets the accesstoken and the refreshtoken. These tokens are then written to CurrentUser - SysUser.Office365AccessToken and SysUser.Office365RefreshToken.

You will also need to Grant your app-registration access to particular interfaces in Office365 (allowed to see an email or not, allowed to see SharePoint lists or not).

Once you are ready to "log on" or authorize, you must say what scope THIS particular session should see: scope looks like this, its a space-delimited string:

offline_access User.Read Sites.Read.All

Put this value in SysSingleton.Office365Scope

We can now formulate the request for (1) a code (lives a very short time) - we will then use this code to get (2) an access token (lives an hour) and (3) a refresh token (lives very long - often until revoked).

'https://login.microsoftonline.com/'+SysSingleton.oclSingleton.Office365TennantId+'/oauth2/v2.0/authorize?
client_id='+SysSingleton.oclSingleton.Office365ClientId+'
&response_type=code
&redirect_uri='+SysSingleton.oclSingleton.UrlEncode( SysSingleton.oclSingleton.Office365Redirect,false)+'
&response_mode=query
&scope='+SysSingleton.oclSingleton.UrlEncode( SysSingleton.oclSingleton.Office365Scope,false)+'
&state='+SysSingleton.oclSingleton.UrlEncode('http://localhost:5020/App#/AzureAuthorize/$null$',false)

Note the last query parameter: state - This is just run-tripped for us. We use it to know where to redirect once we have the accesstoken.

You can use the Tagged value DataIsLink and have the above URL in a ViewModel column, or use the selfVM.NavigateURL in an action.

Once you have the accesstoken, you can try a GraphAPI call like this:

vResult:=selfVM.RestGet('https://graph.microsoft.com/v1.0/me','Bearer',SysSingleton.oclSingleton.CurrentUser.Office365AccessToken,'')

This page was edited more than 10 months ago on 03/19/2024. What links here

@@ Line 1: / Line 1: @@
-Background : https://learn.microsoft.com/en-us/graph/auth-v2-user
+Background: https://learn.microsoft.com/en-us/graph/auth-v2-user
-Office365 contains the GraphAPI that be used to access sharepoint documents, calendars,emails etc
+Office365 contains the GraphAPI used to access SharePoint documents, calendars, emails, etc.
 [[File:2023-04-24 17h45 47.png|none|thumb|422x422px]]
-What you need to do on the Azure side of this (also called the tennant by Microsoft) is to do an App_Registration, you do this in https://Portal.Azure.com.
+What you need to do on the Azure side of this (also called the tennant by Microsoft) is to do an App_Registration, do this at: https://Portal.Azure.com.
 From here you will need:
+* Client id, a guid string - put this in SysSingleton.Office365ClientId
+* tennant id, a guid string - put this in SysSingleton.Office365TennantId
+* Client secret, SysSingleton.Office365ClientSecret
+You must also set up the redirect endpoints that shall be allowed for this solution (where Azure will go and is allowed to go in our app once it has done the authentication of the user).
-Client id, a guid string - put this in SysSingleton.Office365ClientId
+On Azure, give the EXACT SAME (case sensitive) as you put in SysSingleton.Office365Redirect. - this value MUST point to <your systems url>/Account/AzureAdAuthorize
-tennant id, a guid string - put this in SysSingleton.Office365TennantId
+The Account/AzureAdAuthorize is a new controller action that assumes you have the above office365 values in SysSingleton. It sends a post request to "<nowiki>https://login.microsoftonline.com/</nowiki>" + tennantid + "/oauth2/v2.0/token" and gets the accesstoken and the refreshtoken. These tokens are then written to CurrentUser - SysUser.Office365AccessToken and SysUser.Office365RefreshToken.
-Client secret, SysSingleton.Office365ClientSecret
+You will also need to Grant your app-registration access to particular interfaces in Office365 (allowed to see an email or not, allowed to see SharePoint lists or not).
-You must also set up the redirect endpoints that shall be allowed for the this solution (where azure will go and is allowed to go in our app once it has done the authentication of the user).
-On azure you give the EXACT SAME (case sensitive) as you put in SysSingleton.Office365Redirect. - this value MUST point to <your systems url>/Account/AzureAdAuthorize
-The Accoount/AzureAdAuthorize is a new controller action that assumes you have the above office365 values in SysSingleton - it sends a post request to "<nowiki>https://login.microsoftonline.com/</nowiki>" + tennantid + "/oauth2/v2.0/token" and gets the accesstoken and the refreshtoken. These tokens are then written to CurrentUser - SysUser.Office365AccessToken and SysUser.Office365RefreshToken.
-You will also need to Grant your app-registration access to particular interfaces in office365 (allowed to see email or not, allowed to see sharepoint lists or not)
 [[File:Image (3).png|none|thumb|526x526px]]
-Once you are ready to "log on" or Authorize you must say what scope THIS particular session should see : scope looks like this, its a space delimited string:
+Once you are ready to "log on" or authorize, you must say what scope THIS particular session should see: scope looks like this, its a space-delimited string:
   offline_access User.Read Sites.Read.All
 Put this value in SysSingleton.Office365Scope
-We can now formulate the request for (1) a code (lives very short time) - we will then use this code to get an (2)access token (lives an hour) and a (2)refresh token (lives very long - often until revoked).
+We can now formulate the request for (1) a code (lives a very short time) - we will then use this code to get (2) an access token (lives an hour) and (3) a refresh token (lives very long - often until revoked).
   '<nowiki>https://login.microsoftonline.com/'+SysSingleton.oclSingleton.Office365TennantId+'/oauth2/v2.0/authorize</nowiki>?
@@ Line 35: / Line 31: @@
   &scope='+SysSingleton.oclSingleton.UrlEncode( SysSingleton.oclSingleton.Office365Scope,false)+'
   &state='+SysSingleton.oclSingleton.UrlEncode('http://localhost:5020/App#/AzureAuthorize/$null$',false)
-Note the last query parameter: state - this is just runtripped for us - we use it to know where to redirect once we have the accesstoken.
+Note the last query parameter: state - This is just run-tripped for us. We use it to know where to redirect once we have the accesstoken.
-You can use Tagged value DataIsLink and have the above url in a ViewModel column, or you can use the selfVM.NavigateURL in an action.
+You can use the Tagged value DataIsLink and have the above URL in a ViewModel column, or use the selfVM.NavigateURL in an action.
-Once you have the accesstoken you can try a GraphAPI call like this:
+Once you have the accesstoken, you can try a GraphAPI call like this:
   vResult:=selfVM.RestGet('<nowiki>https://graph.microsoft.com/v1.0/me','Bearer',SysSingleton.oclSingleton.CurrentUser.Office365AccessToken</nowiki>,<nowiki>''</nowiki>)