Slidedeck presented during a webinar i held on13th December 2023 about how to consume Microsoft Graph API using user level permissions.
Webinar Recording https://youtu.be/2cSsg5ws1H4
Microsoft Graph API and OutSystems Delegated Permissions
1. Microsoft Graph API and
OutSystems
Delegated Permissions
Access Microsoft Cloud Services via Graph API in
OutSystems
December 13th 10am (CET)
Stefan Weber
Senior Director Software Development
Telelink Business Services Germany GmbH
OutSystems MVP – AWS Community Builder
2. Fundamentals
Quick Recap of Part 1
OAuth 2.0 Authorization Code Flow
Application Sign In vs Account Linking
Elements we need to build
Agenda
Implementation
Prerequisites
Register an application with Microsoft Identity Provider
(Entra ID)
Build an Authorization Code Flow for Application Sign In
Consume Graph API endpoints with OutSystems
3. OAuth 2.0
Authorization Code Flow
The OAuth 2.0 Authorization Code flow is designed for
applications to access a service API on-behalf of a user.
This flow requires the user to be redirected to the identity
provider to authenticate, after which they are redirected back to
the application with an authorization code. This code is then
exchanged for an access token by the application backend using
a client secret.
Authorization Code Flow with Proof Key Exchange (PKCE) is
originally designed for applications that cannot securely store a
client secret but will be mandatory in OAuth 2.1
4. OAuth 2.0 Authorization Code Flow - Tokens
Access Token
An OAuth 2.0 Access Token is a
credential used to access protected
resources on behalf of a resource
owner.
Issued by the authorization server, it
represents the grant of access given
to a client application.
This token does not contain
information about the user's identity;
instead, it is used to access APIs
securely.
OpenID Connect Token
This token contains claims about the
authentication of an end user and is
a JSON Web Token (JWT) that
includes information such as the
user's identity, the authentication
method used, and the token's validity
period
Refresh Token
An OAuth 2.0 refresh token is a
special kind of token that is used to
obtain a renewed access token when
it expired or became invalid.
The refresh token is used to securely
request a new access token without
requiring the user to go through the
authentication process again.
Refresh tokens are particularly useful
in applications that need to maintain
long-term access to a user's
resources hosted by a service
provider.
5. Application Sign In vs Account Linking
Sign In
A user authenticates himself via an external, OAuth 2.0-
compatible identity provider and is authorized as a user in
OutSystems.
Link Account
A user logs into OutSystems and then connects one or more
external accounts of applications that use an OAuth 2.0
compatible identity provider for authentication.
7. Prerequisites
Access to your Azure Tenant using the Azure Portal
Cloud Application Administrator role assigned to your user
account to register an application in your tenant.
8. Building Blocks
Authentication Request
Creates a new Authentication intent,
constructs an Authorization Url and
redirects the users browser.
Callback Handler
Retrieves the authorization code
from the Identity Provider after
successful authentication. (Screen or
exposed REST API)
Token Cache
Caches access and refresh tokens for
later retrieval.
Token Handler
Retrieves an access token from the
token cache directly or performs a
token refresh.
11. Master OAuth 2.0 Website
Microsoft Developer Program
Azure Portal
Microsoft Learn – Authorization Code Flow
Use the Microsoft Graph API documentation
Microsoft Graph Permission Reference
Microsoft Graph Explorer
OAuth Token Exchange Forge component
CryptoAPI Forge component
Additional Material
Acquire and Link multiple OAuth Tokens to OutSystems
users for delegated access
Getting started with OutSystems and Microsoft Graph—
Delegated Permissions
12. Coming up
Subscribe to Microsoft Graph API events
How to subscribe to individual events offered in Graph API.
How to securely consume triggered events in OutSystems.
How to refresh subscription authorization.
When?
January 2024
13. Stefan Weber
Senior Director Software Development
Telelink Business Services Germany GmbH
OutSystems MVP – AWS Community Builder
https://www.tbs.tech
https://www.linkedin.com/in/stefanweber1/
https://lcnc.blog