This demo shows how you would authorize a token call to Microsoft Graph for delegated permissions where a token response is required.
This setup involves an app registration in Azure Portal, as well as registered redirects and the appropriately selected API Permissions.
To run the below demo, grab the Web Host Utilities and drop it into your project.
Our redirect is https://localhost:7201/api/token - which is why our call to map the incoming HTTP request is /api/token.
PerigeeApplication.ApplicationNoInit("GraphDemo", (c) =>
{
//Graph and token endpoint
var dvGraph = new GraphClient(
c.GetValue<string>("graph:tenant"),
c.GetValue<string>("graph:client"),
c.GetValue<string>("graph:secret"),
c.GetValue<string>("graph:scope"),
c.GetValue<string>("graph:redirect"),
"",
c.GetLogger<Program>());
//Add token receive endpoint
c.AddMinimalAPI("TokenReceiver", 7201, (w) => {
w.MapGet("/api/token", ([FromQuery] string code, GraphClient graph) => { CredentialStore.RefreshAuthorizationCode(graph.credentialName, code); return Results.Ok("Got the new code! Thanks!"); }); },
(b,s) => s.AddSingleton<GraphClient>(dvGraph));
//Await a valid credential on load
var cred = CredentialStore.AwaitValidCredential(dvGraph.credentialName, c.GetCancellationToken()).GetAwaiter().GetResult();
c.GetLogger<_PerigeeStartup>().LogInformation("Authorized Account: {acc}", cred.JWTGetValue(cred.DecodeJWT(cred.Authorization), "unique_name"));
});
The appsettings.json:
"graph": {
"tenant": "tenantguid",
"client": "clientguid",
"secret": "secretkey",
"scope": "user.read Channel.ReadBasic.All Team.ReadBasic.All offline_access",
"redirect": "https://localhost:7201/api/token"
}
It's very important to include offline_access if you want to be able to refresh the token automatically.
For DataVerse
If you're trying to communicate with DataVerse, simply change the domain and scope parameters:
PerigeeApplication.ApplicationNoInit("GraphDemo", (c) =>
{
//Graph and token endpoint
var dvGraph = new GraphAPI(
c.GetValue<string>("graph:tenant"),
c.GetValue<string>("graph:client"),
c.GetValue<string>("graph:secret"),
c.GetValue<string>("graph:scope"),
c.GetValue<string>("graph:redirect"),
c.GetValue<string>("graph:domain"),
c.GetLogger<Program>());
//Add token receive endpoint
c.AddMinimalAPI("TokenReceiver", 7201, (w) => {
w.MapGet("/api/token", ([FromQuery] string code, GraphClient graph) => { CredentialStore.RefreshAuthorizationCode(graph.credentialName, code); return Results.Ok("Got the new code! Thanks!"); }); },
(b,s) => s.AddSingleton<GraphClient>(dvGraph));
//Await a valid credential on load
var cred = CredentialStore.AwaitValidCredential(dvGraph.credentialName, c.GetCancellationToken()).GetAwaiter().GetResult();
c.GetLogger<_PerigeeStartup>().LogInformation("Authorized Account: {acc}", cred.JWTGetValue(cred.DecodeJWT(cred.Authorization), "unique_name"));
//Pull DV
var Employees = dvGraph.GetDataVerseTable<Employees>("cr521_employees");
});
The appsettings.json:
"graph": {
"tenant": "tenantguid",
"client": "clientguid",
"secret": "secretkey",
"domain": "https://org1234567.api.crm.dynamics.com"
"scope": "https://org1234567.api.crm.dynamics.com/.default offline_access",
"redirect": "https://localhost:7201/api/token"
}
