How to get authorization code dynamically depending on tenant ID using blazer Webassembly

Jacob Duncan 5

I am looking to dynamically create a Microsoft graph client at runtime where the tenant ID is changed dynamically every time it is created. I need to get a authorization code that is dependent on the tenant ID at runtime but I can not seem to make it work. I have tried both the Microsoft.Identity.Client; library and the Azure.Identity library but kept getting the error below. Does anyone know how I could achieve this or get around this error?

var authCodeCredential = new ClientSecretCredential (

    tenantId, clientId, clientSecret);




var graphClient = new GraphServiceClient(authCodeCredential, scopes);

Screenshot 2023-06-06 104244

Jacob Duncan 5 Reputation points

2023-06-06T19:50:04.93+00:00

It is important to note I am using Blazor WebAsembly and this is what is likely causing the issues with the libraries

2 answers

Bruce (SqlWork.com) 55,686 Reputation points

2023-06-06T22:33:40.3033333+00:00

it does not seem partially secure to use client secret with a web assembly. I'd probably supply a webapi to do the work.

You are correct, the HttpClient defined for blazor WASM is a subset of the actually HttpClient, as it uses js interop to create a tcp connection (WASM runs in a sandbox with no network, dom or file support). You could use the javascript graph api sdk and call with js interop, or using HttpClient call the Graph REST api directly rather than the sdk. It better documented anyway.

https://learn.microsoft.com/en-us/graph/api/overview?view=graph-rest-1.0

to get token with the REST api see:

https://learn.microsoft.com/en-us/graph/auth-v2-service?tabs=http
Please sign in to rate this answer.
Jacob Duncan 5 Reputation points

2023-06-07T14:17:15.89+00:00

So ive attempted the https://learn.microsoft.com/en-us/graph/auth-v2-service?tabs=http and using a HttpClient in general to get the token pretty hard but I get stuck on CORS errors for the resource to microsoft Graph. Do you know anyway around this?

Jacob Duncan 5 Reputation points

2023-06-07T14:18:12.17+00:00

Ideally I would just be able to achieve what im trying to do without setting up a proxy or blazor server

Bruce (SqlWork.com) 55,686 Reputation points

2023-06-07T16:55:39.2133333+00:00

you are correct. I checked and azure ad get token, does not support CORS. so Blazer WASM can not use clientid & secret to login as HttpClient() requires CORS for cross site calls.

as you are using azure ad, an azure function would be the cheapest proxy. not sure how you are hosting, but azure static websites support proxy to azure functions.

Jacob Duncan 5 Reputation points

2023-06-07T17:08:01.3233333+00:00

I just need to dynamically be able to get a authentication token dynamically depending on the tenant at runtime, do I have to resort to a proxy to do this? I dont care how its done I just have the user authorized under the common endpoint and want him to be able to pull data from a specific tenant at runtime and also be able to change the tenant at runtime

Bruce (SqlWork.com) 55,686 Reputation points

2023-06-07T17:37:39.7633333+00:00

your use case is not really clear.

if you want to authenticate with a tenantid, clientid and secret, then yes. if you do the more traditional ad user login with the ad user given access to the tenants app (clientid), then just use the msal library. see b2c logins.

note: if you use standard authentication, a browser redirect is done to get the access token (the is why CORS is not required). so when the user selects a tenant, a redirect and reload of the Blazor application (server or wasm) is required. so you may need to save state before the login.

if you save a refresh token by tenantid, then you can avoid the redirect until the token expires.

Jacob Duncan 5 Reputation points

2023-06-07T17:56:37.9933333+00:00

Okay, I though this was what I would have to end up doing but I was really trying to get around the redirect, my use case is we have around 50 tenants we manage and any user who goes onto the site is authorized to log into any of there tenants and call data they want from microsoft graph. The use case would be I click a selector and select grocerystore 1 and then any graph calls I make display all that data, then I could select another tenant hardwarestore 1 and now all graph calls would use this tenant

Yusra Yousef Ghannam 1 Reputation point

2023-06-07T19:13:26.5866667+00:00

Very good

Bruce (SqlWork.com) 55,686 Reputation points

2023-06-07T19:43:33.64+00:00

Like I suggested if you keep the refresh token in local storage for each tenant, then you could reduce the number of logins. This assume the users are not using public computers.
Sign in to comment
Jacob Duncan 5 Reputation points

2023-06-08T13:25:31.78+00:00

For anyone looking to achieve the same thing it is not directly possible to use this route as of 2023-06-08, at least that's what 4 days of debugging told me. I managed to achieve the desired result using Azure Functions as it can run server side code and make the calls on its end and requires 0 maintaining from us which was the goal. Appreciate the response though Bruce!
Please sign in to rate this answer.

0 comments No comments
Sign in to comment