CODEWITHSUNDEEP
azure-active-directorymicrosoft-graph-api
kenshin9
kenshin9

Reputation: 2375

Microsoft Graph API - Client Credentials Grant Flow

I'm implementing the Microsoft Graph APIs using the Client Credentials Grant Flow, as explained at https://developer.microsoft.com/en-us/graph/docs/concepts/auth_v2_service. Also, the app was registered at https://apps.dev.microsoft.com/.

The aim here is to allow our web application to perform actions like checking the calendars of our users and sending mail on their behalf, without each user being required to authenticate and grant access to the application. The idea is to make it transparent to them.

So I think I've got it working, but wanted to clarify a few things.

Upvotes: 2

Views: 1078

Answers (1)

Marc LaFleur
Marc LaFleur

Reputation: 33132

Admin Consent only provides consent for the permissions that were registered at the time consent was granted. So yes, if you change permissions you will also need to repeat Admin Consent before your application will receive the new scopes.

An Access Token only lives for a short period of time by design. You shouldn't request a new token with every request since that adds needless overhead. Instead, you should request a new token only after it has expired.

The response from AAD that contains your token will also provide the expiration time:

{
  "access_token": "eyJ0eXAiOiJKV1QiLCJ...",
  "expires_in": 3599,
  "token_type": "Bearer",
  "scope": "https://graph.microsoft.com/mail.read https://graph.microsoft.com/user.read",
}

You can hydrate the token response into an object along with the time the object was created. Before making a call to the Graph, you check the expiration time to determine if your app needs to refresh the token beforehand.

Upvotes: 1

Related Questions