Automating Acquisition of User Acess Token

Question

Hi there,
I hope you are well.

I have been developing a script which is ultimately intended to run automatically on a trigger (functionality: pulling Outlook calendar information). Thus far I have been using acquire_token_by_authorization_code and manually copying and pasting an authorisation code from my browser into my program for it to run. I have coded all my desired functionality and would now like to automate this process.

I have tried acquire_token_silent with the same client instance as when I used acquire_token_by_authorization_code but this generates an access token with idtyp: app. However, I need a user access token with scope Calendars.Read / Calendars.Read.Shared.

I define client instance as:

client_instance = msal.ConfidentialClientApplication(
client_id = appID,
client_credential = clientSecret,
authority = authority_url
)

I have also tried acquire_token_by_username_password unsuccessfully and saw the many forum posts advising against this approach. Is this approach still possible?

Please may I have some advice on how to automate the token generation process.
Any suggestions, steps or sample code would be appreciated.

Have a great day,
Gabriel Pillay

Answer 1

Hi @Gabriel Pillay ,

Thanks for reaching out.

I understand you are looking to retrieve the access token.

There is nothing line First, let me clear the difference between Id Token and Access Token.

ID token - A JWT that contains claims that you can use to identify users in your application.

Access token - A JWT that contains claims that you can use to identify the granted permissions to your APIs. Access tokens are signed by Azure Active Directory. An access token contains claims that you can use in Azure Active Directory to identify the granted permissions to your APIs.

As you are looking for token with scopes, that should be access token. Access token can be retrieved using different OAuth flows based on the application type and scenarios.

Authorization code flow is used generally for those applications which require user interaction whereas ROPC flow is used to retrieve access token where user's credentials need to pass along to acquire the token.

ROPC flow is still supported but Microsoft does not recommend using ROPC flow as it is less secure than any other flows as it carries the risks to have credentials. Also, ROPC does not support MFA and SSO.

Microsoft provide different authentication libraries to retrieved security tokens and call protected web APIs in your apps.
https://learn.microsoft.com/en-us/azure/active-directory/develop/msal-authentication-flows

MSAL first try to acquire token silently by using acquireTokenSilent method to check the cache, if no credentials are stored in cache, then MSAL will acquire the token interactively.

publicClientApplication  
  .acquireTokenSilent(accessTokenRequest)  
  .then(function (accessTokenResponse) {  
    let accessToken = accessTokenResponse.accessToken;  
    callApi(accessToken);  
  })  
  .catch(function (error) {  
    //Acquire token silent failure, and send an interactive request  
    if (error instanceof InteractionRequiredAuthError) {  
      publicClientApplication  
        .acquireTokenPopup(accessTokenRequest)  
        .then(function (accessTokenResponse) {  
          // Acquire token interactive success  
          let accessToken = accessTokenResponse.accessToken;  
          // Call your API with token  
          callApi(accessToken);  
        })  

Hope this will help. If you have any related questions, please let us know to help you further.

Thanks,
Shweta

-------------------------------

Please remember to "Accept Answer" if answer helped you.