Microsoft Graph API (Onedrive REST APIs) get token with sign-in in a browser

PACHECO LLANOS, Aracely 56 Reputation points
2022-06-29T17:01:45.2+00:00

Hello,

I am coding a program to read and convert some files from one drive, and they are some code samples that I was using and it is working fine : https://github.com/microsoftgraph/python-sample-auth

However, for my final application I won't be able to open a browser and sign-in (using my credentials), I need to do it from the application without the need of a browser.

I am able to sign-in just when I use a browser. When I make some tests to get a token using "Call MsGraph with Secret" or "Call MsGraph with Certificate" (that I found in https://learn.microsoft.com/en-us/azure/active-directory/develop/reference-v2-libraries). I had the following message: "/me request is only valid with delegated authentication flow."

I also tried https://learn.microsoft.com/en-us/azure/active-directory/azuread-dev/v1-oauth2-client-creds-grant-flow#service-to-service-access-token-request

So, the queries I tried:

  • https://login.microsoftonline.com/<Tenant>/oauth2/token?grant_type=client_credentials&client_id=<client-id>&client_secret=<client-secret>&resource=https://graph.microsoft.com
  • https://login.microsoftonline.com/<Tenant>/oauth2/token?grant_type=password&client_id=<client-id>&client_secret=<client-secret>&resource=https://graph.microsoft.com&username=<username>&password=<password>

The error I got:
"error": "invalid_request",
"error_description": "AADSTS900144: The request body must contain the following parameter: 'grant_type'.\r\nTrace ID: c75d427c-be61-40c6-b39f-36ca84db5400\r\nCorrelation ID: 943e1255-ee4c-492b-b6e4-57f073156196\r\nTimestamp: 2022-06-29 16:51:21Z",

Is there a way I can get a token, without the need to sign-in the browser (to avoid the redirection to the url in the browser, and then get the code to get the token)?

Best regards,

Aracely

Microsoft Graph
Microsoft Graph
A Microsoft programmability model that exposes REST APIs and client libraries to access data on Microsoft 365 services.
12,519 questions
SharePoint Development
SharePoint Development
SharePoint: A group of Microsoft Products and technologies used for sharing and managing content, knowledge, and applications.Development: The process of researching, productizing, and refining new or existing technologies.
3,123 questions
{count} vote

Accepted answer
  1. CarlZhao-MSFT 43,256 Reputation points
    2022-06-30T08:01:10.44+00:00

    Hi @PACHECO LLANOS, Aracely

    Both the client credential flow and the ROPC flow can obtain an access token without logging into the browser.

    Please use garph SDK:

    The client credentials flow is used to call the /users/{user id} endpoint.

        using Azure.Identity;  
        using Microsoft.Graph;  
              
        var scopes = new[] { "https://graph.microsoft.com/.default" };  
          
        // Multi-tenant apps can use "common",  
        // single-tenant apps must use the tenant ID from the Azure portal  
        var tenantId = "tenant id";  
          
        // Values from app registration  
        var clientId = "client id";  
        var clientSecret = "client secret";  
          
        // using Azure.Identity;  
        var options = new TokenCredentialOptions  
        {  
        AuthorityHost = AzureAuthorityHosts.AzurePublicCloud  
        };  
          
        // https://learn.microsoft.com/dotnet/api/azure.identity.clientsecretcredential  
        var clientSecretCredential = new ClientSecretCredential(  
        tenantId, clientId, clientSecret, options);  
              
        var accessToken = await clientSecretCredential.GetTokenAsync(new Azure.Core.TokenRequestContext(scopes) { });  
          
        Console.WriteLine(accessToken.Token);  
      
    // get graphClient  
    //var graphClient = new GraphServiceClient(clientSecretCredential, scopes);  
    

    The ROPC flow is used to call the /me endpoint.

        using Microsoft.Graph;  
        using Azure.Identity;  
        using Azure.Core;  
          
        var scopes = new[] { "https://graph.microsoft.com/.default" };  
          
        // Multi-tenant apps can use "common",  
        // single-tenant apps must use the tenant ID from the Azure portal  
        var tenantId = "tenant id";  
          
        // Value from app registration  
        var clientId = "client id";  
          
          
        // using Azure.Identity;  
        var options = new TokenCredentialOptions  
        {  
            AuthorityHost = AzureAuthorityHosts.AzurePublicCloud  
        };  
          
        var userName = "username";  
        var password = "password";  
              
        // https://learn.microsoft.com/dotnet/api/azure.identity.usernamepasswordcredential  
        var userNamePasswordCredential = new UsernamePasswordCredential(  
            userName, password, tenantId, clientId, options);  
             
        var accessToken = await userNamePasswordCredential.GetTokenAsync(new TokenRequestContext(scopes) { });  
        Console.WriteLine(accessToken.Token);  
      
    //get graphClient  
    //var graphClient = new GraphServiceClient(userNamePasswordCredential, scopes);  
    

    If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.


0 additional answers

Sort by: Most helpful

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.