Any way to get token that could be used for both Graph API and backend authentication in backend?

[wy193777]

Currently the JWT token acquired by this library and passed as authentication field on header cannot be used for Graph API on backend. Request directly from frontend to query graph API seems possible. But the token passed to endpoint doesn't contain some necessary field for graph API.

Or maybe there is a secret switch I don't know to enable Graph API token?

[rohitnarula7176]

@wy193777 I don't believe I understand your question. You can use the id_token you receive during login to access your backend and then you can acquire access token for the graph the by specifying the graph as a resource in the acquireToken method. Can you please elaborate?

[wy193777]

So in my case, the frond end part doesn't need to access Graph API. But the backend part need to get user's group information to identify if users have permissions to do certain operation. But the token acquired by adaljs and send in Authorization field when make request to backend couldn't be used to access graph API. It at least doesn't contain 'scp' field that contains permission information.

Currently the token send to backend could be verified using Azure provided public key, but graph API will tell me the token isn't in right form.

[wy193777]

So I guess to let the backend service use tokens send from frontend to access graph API, I need to insert the token acquired by 'acquireToken' method to another field in the header?

[GageAmes]

@wy193777 if your Azure AD application has permission to access the Graph API, you should be able to obtain an access_token from ADAL's acquireToken() method (using your application's App ID URI for the resource parameter) and pass that token to your backend via the Authorization header (instead of passing the id_token). I believe your backend can then redeem that access_token for a token to call the Graph API.

@rohitnarula7176 if this.config.loginResource is provided as the application's App ID URI, couldn't the login() method obtain an id_token and an access_token at the same time by passing id_token token and this.config.loginResource to _getNavigateUrl() here? If I'm understanding this correctly, it might be a nice optimization so that a separate call to acquireToken() isn't required when a loginResource is specified.

[wy193777]

@GageAmes Thanks for the reply. After some experiment and research, I decided to use Microsoft Graph (not Azure AD Graph) with application permission, this means client secret key is enough for call Microsoft Graph API.

By the way, there are two graph APIs. One is called Microsoft Graph API and one is called Azure AD Graph API. You can set Microsoft Graph API permission for Azure AD apps on Azure portal, not the permission for Azure AD Graph API. It's pretty misleading.

[rohitnarula7176]

@wy193777 Thank you for for your feedback.

[crspybits]

I wonder if this is related to my question at: https://github.com/AzureAD/microsoft-authentication-library-for-objc/issues/683