Microsoft Graph API Delegated Permissions
0 likes75 views
The document discusses integrating Microsoft Graph API with OutSystems using OAuth 2.0 authorization code flow for user authentication. Key topics include prerequisites for implementation, access token management, and the distinction between application sign-in and account linking. It also outlines building blocks for authentication requests, callbacks, and token handling, along with resources for further learning.
Microsoft Graph API Delegated Permissions
- 1. Microsoft Graph API and OutSystems Delegated Permissions Access Microsoft Cloud Services via Graph API in OutSystems December 13th 10am (CET) Stefan Weber Senior Director Software Development Telelink Business Services Germany GmbH OutSystems MVP – AWS Community Builder
- 2. Fundamentals  Quick Recap of Part 1  OAuth 2.0 Authorization Code Flow  Application Sign In vs Account Linking  Elements we need to build Agenda Implementation  Prerequisites  Register an application with Microsoft Identity Provider (Entra ID)  Build an Authorization Code Flow for Application Sign In  Consume Graph API endpoints with OutSystems
- 3. OAuth 2.0 Authorization Code Flow The OAuth 2.0 Authorization Code flow is designed for applications to access a service API on-behalf of a user. This flow requires the user to be redirected to the identity provider to authenticate, after which they are redirected back to the application with an authorization code. This code is then exchanged for an access token by the application backend using a client secret. Authorization Code Flow with Proof Key Exchange (PKCE) is originally designed for applications that cannot securely store a client secret but will be mandatory in OAuth 2.1
- 4. OAuth 2.0 Authorization Code Flow - Tokens Access Token An OAuth 2.0 Access Token is a credential used to access protected resources on behalf of a resource owner. Issued by the authorization server, it represents the grant of access given to a client application. This token does not contain information about the user's identity; instead, it is used to access APIs securely. OpenID Connect Token This token contains claims about the authentication of an end user and is a JSON Web Token (JWT) that includes information such as the user's identity, the authentication method used, and the token's validity period Refresh Token An OAuth 2.0 refresh token is a special kind of token that is used to obtain a renewed access token when it expired or became invalid. The refresh token is used to securely request a new access token without requiring the user to go through the authentication process again. Refresh tokens are particularly useful in applications that need to maintain long-term access to a user's resources hosted by a service provider.
- 5. Application Sign In vs Account Linking Sign In A user authenticates himself via an external, OAuth 2.0- compatible identity provider and is authorized as a user in OutSystems. Link Account A user logs into OutSystems and then connects one or more external accounts of applications that use an OAuth 2.0 compatible identity provider for authentication.
- 7. Prerequisites  Access to your Azure Tenant using the Azure Portal  Cloud Application Administrator role assigned to your user account to register an application in your tenant.
- 8. Building Blocks Authentication Request Creates a new Authentication intent, constructs an Authorization Url and redirects the users browser. Callback Handler Retrieves the authorization code from the Identity Provider after successful authentication. (Screen or exposed REST API) Token Cache Caches access and refresh tokens for later retrieval. Token Handler Retrieves an access token from the token cache directly or performs a token refresh.
- 10. Walkthrough
- 11.  Master OAuth 2.0 Website  Microsoft Developer Program  Azure Portal  Microsoft Learn – Authorization Code Flow  Use the Microsoft Graph API documentation  Microsoft Graph Permission Reference  Microsoft Graph Explorer  OAuth Token Exchange Forge component  CryptoAPI Forge component Additional Material  Acquire and Link multiple OAuth Tokens to OutSystems users for delegated access  Getting started with OutSystems and Microsoft Graph— Delegated Permissions
- 12. Coming up Subscribe to Microsoft Graph API events  How to subscribe to individual events offered in Graph API.  How to securely consume triggered events in OutSystems.  How to refresh subscription authorization. When? January 2024
- 13. Stefan Weber Senior Director Software Development Telelink Business Services Germany GmbH OutSystems MVP – AWS Community Builder https://www.tbs.tech https://www.linkedin.com/in/stefanweber1/ https://lcnc.blog