I have the following set up:
- A web app (Jetty/Java)
- A native client (iOS) (calling my webapp)
- The Microsoft Graph API (called from my webapp)
The idea is that the user should sign in with OpenID/Oauth2 using his/her Office 365 credentials. The webapp will then call the Microsoft Graph API on behalf of the user (offline as well).
To achieve this I'm pretty sure I need to use the grant type: "Authorization code grant". I can find a lot of example of the Oauth2 flow for browser based apps, and for when the native app calls the Graph API directly... but I want my backend to call the Graph API (and hold the access & refresh tokens).
So the question is how to do this properly? Here is my idea at this point.
From the native app: open a browser, call my web server which will trigger a redirect to the Azure /authorize endpoint (example: https://login.microsoftonline.com/[tenant]/oauth2/v2.0/authorize?client_id=[clientid]&response_type=code&scope=offline_access%20user.read%20calendars.readwrite&response_mode=query&state=12345&redirect_uri=my-scheme://oath2-code-reply
This will trigger authentication/authorization and then send the access code back to the app (using a custom scheme redirect: my-scheme://oath2-code-reply).
The app can then call my web app with this access code, where we can exchange the code for refresh & access code, and also create our own session for the user.
Is this the correct way?
Or should the entire flow occur in the browser and as the final step I open the app again with something like myapp-scheme://?sessionid=[our-own-session]?
