静默获取微软 accessToken

Question

I'm trying to connect to Graph API and get user access token.

My problem is that I don't know how to connect to Graph API with credentials silently (without browser).

I currently use MSLogin() for get access token but it open a browser where you can authorize an AzureAD app to get some access to your account. A library in Java is litteraly what I want in c# https://github.com/Litarvan/OpenAuth

I need something like: MSGraph.ConnectAsync(email, pass).getAccessToken();

Here my current code (Through a browser)

private const string ClientId = "520f6e8e-xxxxxxxxxxxxxxxxxxxx";
private string[] scopes = { "https://graph.microsoft.com/user.read" };

private static AuthenticationResult authResult;
public static IPublicClientApplication PublicClientApp;

private async Task<AuthenticationResult> MSLogin()
{
    PublicClientApp = PublicClientApplicationBuilder.Create(ClientId).WithRedirectUri("msal520f6e8e-xxxxxxxxxxxxxxxxxxxxxxxxxxxxx://auth").Build();
    authResult = await PublicClientApp.AcquireTokenInteractive(scopes).ExecuteAsync();
    return authResult;
}

Answer 1

If you are using Microsoft Graph .NET Client Library you can check documentation with example how to implement username/password authentication flow .

string[] scopes = {"User.Read"};

var usernamePasswordCredential = new UsernamePasswordCredential("username@domain.com", "password", tenantId, clientId);

var graphClient = new GraphServiceClient(usernamePasswordCredential, scopes);

var me = await graphClient.Me.Request().GetAsync();

Answer 2

You can use AcquireTokenByUsernamePassword() for that, see MSDN .

Note however that Microsoft discourages usage of this flow and depending on your AzureAD setup there might be restrictions (ie you can aquire tokens only within a certain IP range etc).

Answer 3

Well, you can get the access token silently but not at the first time, First a user must authorize your app by going through Microsoft's Login flow and for your subsequent calls to Microsoft, you can get the access token without the intervention of user.

I would just give a basic idea, without focusing on a specific SDK that you might be using. For which, you can decide which ever method suits your needs.

1. I assume, you already have your credentials and desired scopes with you, otherwise you need to obtain those.
2. Formulate a proper URL using the credentials you obtained, plus you need to add an extra scope in the URL which is offline_access . Then you need to redirect the user to Microsoft for the initial authorization.
3. If the user logs in successfully, Microsoft will redirect the user back to your website with an Authorization Code .
4. Grab that Authorization Code and exchange it for an Access Token using /oauth2/{version}/token api.
5. You will receive a response from above call which will contain an Access Token along with a Refresh Token . You need to store the refresh token somewhere for future use.

Now comes the interesting part.

6. Using the refresh token , you can renew the access token when it expires without user's intervention. You can use oauth2/v2.0/token api with parameters:

client_id={your_client_id}&scope={your_scopes}&refresh_token={refresh_token_obtained}&grant_type=refresh_token&client_secret={your_client_secret}

The resultant response would look something like this:

{
    "access_token": "new access token",
    "token_type": "Bearer",
    "expires_in": 3599,
    "scope": "your scopes",
    "refresh_token": "refresh token",
}

REF: https://docs.microsoft.com/en-us/graph/auth-v2-user#authorization-request