Slidedeck presented during a webinar i held on13th December 2023 about how to consume Microsoft Graph API using user level permissions. Webinar Recording https://youtu.be/2cSsg5ws1H4

1. Microsoft Graph API and
OutSystems
Delegated Permissions
Access Microsoft Cloud Services via Graph API in
OutSystems
December 13th 10am (CET)
Stefan Weber
Senior Director Software Development
Telelink Business Services Germany GmbH
OutSystems MVP – AWS Community Builder

2. Fundamentals
 Quick Recap of Part 1
 OAuth 2.0 Authorization Code Flow
 Application Sign In vs Account Linking
 Elements we need to build
Agenda
Implementation
 Prerequisites
 Register an application with Microsoft Identity Provider
(Entra ID)
 Build an Authorization Code Flow for Application Sign In
 Consume Graph API endpoints with OutSystems

3. OAuth 2.0
Authorization Code Flow
The OAuth 2.0 Authorization Code flow is designed for
applications to access a service API on-behalf of a user.
This flow requires the user to be redirected to the identity
provider to authenticate, after which they are redirected back to
the application with an authorization code. This code is then
exchanged for an access token by the application backend using
a client secret.
Authorization Code Flow with Proof Key Exchange (PKCE) is
originally designed for applications that cannot securely store a
client secret but will be mandatory in OAuth 2.1

4. OAuth 2.0 Authorization Code Flow - Tokens
Access Token
An OAuth 2.0 Access Token is a
credential used to access protected
resources on behalf of a resource
owner.
Issued by the authorization server, it
represents the grant of access given
to a client application.
This token does not contain
information about the user's identity;
instead, it is used to access APIs
securely.
OpenID Connect Token
This token contains claims about the
authentication of an end user and is
a JSON Web Token (JWT) that
includes information such as the
user's identity, the authentication
method used, and the token's validity
period
Refresh Token
An OAuth 2.0 refresh token is a
special kind of token that is used to
obtain a renewed access token when
it expired or became invalid.
The refresh token is used to securely
request a new access token without
requiring the user to go through the
authentication process again.
Refresh tokens are particularly useful
in applications that need to maintain
long-term access to a user's
resources hosted by a service
provider.

5. Application Sign In vs Account Linking
Sign In
A user authenticates himself via an external, OAuth 2.0-
compatible identity provider and is authorized as a user in
OutSystems.
Link Account
A user logs into OutSystems and then connects one or more
external accounts of applications that use an OAuth 2.0
compatible identity provider for authentication.

6. Implementation

7. Prerequisites
 Access to your Azure Tenant using the Azure Portal
 Cloud Application Administrator role assigned to your user
account to register an application in your tenant.

8. Building Blocks
Authentication Request
Creates a new Authentication intent,
constructs an Authorization Url and
redirects the users browser.
Callback Handler
Retrieves the authorization code
from the Identity Provider after
successful authentication. (Screen or
exposed REST API)
Token Cache
Caches access and refresh tokens for
later retrieval.
Token Handler
Retrieves an access token from the
token cache directly or performs a
token refresh.

9. Calls
{authorizationUrl}?
client_id={clientId}
&response_type=code
&redirect_uri={redirectUrl}
&response_mode=query
&scope=openid%20offline_access%20{scopes}
&state={state}
{redirectUrl}?
code={code}
&state={state}
&error={error}
&error_description={errorDescription}
{tokenEndpoint}
Content-Type: application/x-www-form-urlencoded
client_id={clientId}
&scope=openid%20offline_access%20{scopes}
&code={authorizationCode}
&redirect_uri={redirectUrl}
&grant_type=authorization_code
&client_secret={client_secret}
{tokenEndpoint}
Content-Type: application/x-www-form-urlencoded
client_id={clientId}
&scope=openid%20offline_access%20{scopes}
&refresh_token={refreshToken}
&grant_type=refresh_token
&client_secret={client_secret}
Redirect Callback
Exchange Code Refresh Token

10. Walkthrough

11.  Master OAuth 2.0 Website
 Microsoft Developer Program
 Azure Portal
 Microsoft Learn – Authorization Code Flow
 Use the Microsoft Graph API documentation
 Microsoft Graph Permission Reference
 Microsoft Graph Explorer
 OAuth Token Exchange Forge component
 CryptoAPI Forge component
Additional Material
 Acquire and Link multiple OAuth Tokens to OutSystems
users for delegated access
 Getting started with OutSystems and Microsoft Graph—
Delegated Permissions

12. Coming up
Subscribe to Microsoft Graph API events
 How to subscribe to individual events offered in Graph API.
 How to securely consume triggered events in OutSystems.
 How to refresh subscription authorization.
When?
January 2024

13. Stefan Weber
Senior Director Software Development
Telelink Business Services Germany GmbH
OutSystems MVP – AWS Community Builder
https://www.tbs.tech
https://www.linkedin.com/in/stefanweber1/
https://lcnc.blog