Not able to access SharePoint graph APIs From Java based Rest API

1
votes

We need to access Sharepoint (Graph) APIs through our API layer (no web layer here). I am trying to access Graph APIs through by Java based Rest APIs with AAD. I have registered my application in Azure and I have client_id and Secrete.

  1. grant_type=authorization_code flow

I have tried authorization_code flow https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-auth-code-flow

Getting code from "/oauth2/v2.0/authorize" and then access_token with that code works fine in web application where we can sign-in and accept consent page in "/oauth2/v2.0/authorize" flow.

But when I am trying to access same through my API its giving below error:

http://localhost:9090/ping?error=login_required&error_description=AADSTS50058: A silent sign-in request was sent but no user is signed in. The cookies used to represent the user's session were not sent in the request to Azure AD. This can happen if the user is using Internet Explorer or Edge, and the web app sending the silent sign-in request is in different IE security zone than the Azure AD endpoint (login.microsoftonline.com).

Timestamp: 2020-08-07 05:32:10Z&error_uri=https://login.microsoftonline.com/error?code=50058
  1. grant_type=client_credentials

When I generate access_token with grant_type=client_credentials, client_id & client_secrete then its giving below error:

App access token request:

curl -X POST \
  https://login.microsoftonline.com/<tennantid>/oauth2/v2.0/token \
  -H 'Content-Type: application/x-www-form-urlencoded' \
  -d 'grant_type=client_credentials&client_id=< client_id>&client_secret=<client_secret>&scope=https%3A%2F%2Fgraph.microsoft.com%2F.default'

{
    "error": {
        "code": "AccessDenied",
        "message": "Either scp or roles claim need to be present in the token.",
        "innerError": {
            "date": "2020-08-07T06:23:21",
            "request-id": "***-15e3-437d-8297-****"
        }
    }
}

I have added below permissions in my application: enter image description here

1
azureazure-active-directorymicrosoft-graph-apiazure-ad-graph-apimsal
authorization_code flow requires an interactive login. You should implement it with MSAL. See Authorization code provider and Get file example. client_credentials only supports Application permission rather than Delegated permission.Allen Wu
Thank you for your reply Allen. Any idea about which java maven dependency we need to use here? Code available in example taking me to .Net SDK.user1398291
Please see docs.microsoft.com/en-us/graph/sdks/…Allen Wu

1 Answers

0
votes

As Allen Wu commented some minutes ago you basically cannot use the "client_credentials" for this purpose, assuming you want your Java backend to access a user's Sharepoint files (it looks like this is what you want). The OAuth concept is to work with a token generated on the users behalf and forward/use it in the services that are connected/registered in Azure.

What you have to do is stick with the "authorization_code" flow that you tested and forward the token you acquired (in some frontend that your user can see, whatever this is) to your Java service/API (in the REST client you attach it the HTTP request).

In the Java service/API you extract the token and forward it to the Graph API. Microsoft provides methods to validated the token before using/forwarding it, also. It is best practice to do the validation in your Java service in a security interceptor before doing anything else.