http://coldfusion.com logo
Join Slack
Powered by
OAuth/Azure: I'm trying to implement the MS Graph ...
# cfml-general
b
OAuth/Azure: I'm trying to implement the MS Graph version of this and it looks like I want to use the Mail.ReadWrite and Mail.Send permission for our scheduled task that reads and sends mail from a particular account. However, when I submitted a request for permission to our institution to do this, I was told they had to enable it for all accounts at our institution and couldn't just do it for the one account we need. Because of that, they will probably never grant the permission. Is there another way to approach this?
b
@Brian I assume you're registering an app in the Azure portal and those permissions are being assigned to the application? If you're not using delegated permissions (where a human logs in themselves and then the app is allowed to do things on their behalf) then I assume you're asking for app-level API permissions which require admin consent and I'm fairly sure those admin-level permissions would give the app the ability to send/receive mail for any user in active directory.
When you go to add permissions to a registered app in the Azure portal, yo have these two choices
image.png
The options are basically for "all" users or "any" user.
t
This is the same problem I've been banging my head against for about a year. There is a solution, where you can limit access to your app based on a ADS group. Let me see if I can find the docs for that for you.
👍 1
b
I assume this is what they are talking about
t
It doesn't work well for my particular need, but it may work for you.
b
So far, my solution for scheduled jobs which need to send or receive E-mail from users, I just give the global permissions to the app, which yes-- makes it pretty powerful
b
That would be great if it did, @Tim. Yes, @bdw429s, your assumptions are correct.
b
Yeah, I'd love to know how to limit it since it always felt like there should be a way to be something other than delegated only or full bore!
t
My issue is that i develop an on-prem app, and I'm trying to find a method where I can distribute a solution that doesn't involve each of my clients having to set up their own app, and they can just use the one I make... Not sure I'll ever get that solved, and may just have to bite the bullet.
b
Sounds challenging.
b
https://stackoverflow.com/a/68923917/2166947
Graph API doesn't yet support such a feature.
😆
t
b
yeah, just found that link. It was linked in the comments of the SO question above
t
it might be that... I know the guys at the universtiy of illinois did this. I'm looking for their email.
b
That looks promising.
b
I appreciate they have a cool CLI interface via powershell, but I'm trying to figure out where in the heck the web GUI has this option, lol
t
Yeah, that seems to be the link you need. Most of my conversion must have happened on zoom instead of email, but that link was in the relevant email.
👍 1
b
I passed the link along to the almighty and powerful keepers of the keys. We'll see what happens.
b
Yeah, even this blog only shows creating the access policy via the CLI commandlet so I'm inclined to think perhaps there is no web interface for this?? https://practical365.com/application-access-policies-in-exchange-online/
b
I thought I'd just continue this in thread. I passed @Tim's article along and not only did they implement it, but they approved the two API permissions I asked for. I seem to be getting a legitimate token, but I'm not quite sure how to format the http request properly. All of the commands I've tried so far have returned the message, "Method Not Allowed." Does anyone have a working http call that they can share to get me started?
b
@Brian What specific endpoint are you trying to hit?
There's not a lot special about hitting MS's graph API. Once you have the JWT, you just pass it as a bearer token HTTP header
Which is really easy to setup with Hyper BTW since you can create a re-usable HTTP request "template" 🙂
Copy code
property name="hyper" inject="HyperBuilder@hyper";

var res = hyper.setHeader( "Authorization", "Bearer #rc.token#" ).get( '<https://graph.microsoft.com/v1.0/me>')

if( !res.isError() ) {
  dump( res.json() );
}
I've posted example code in the Lucee dev forums that show getting mail from graph API
👍 1
b
I'm not working with ColdBox or Docker, so most of that made no sense. lol
So...I'm not sure why you brought Docker up. Did you mean to reply to a different thread by any chance?
Oh thank goodness! I was already confused so I thought maybe it was me and I was just totally lost.
b
Deleting my messages so I don't clutter the wrong thread 😉
👍 1
b
Is there any good way to debug this? It seems like it throws the same, "Access token is empty" error for everything.
b
I would start by checking if your access token is empty 😆
b
I've checked every which way and it looks fine. Even tried different versions of the space between "Bearer" and the token.
b
Does it work in Postman?
That's where I did most of my experimenting and postman will add the bearer token for you to the header to ensure it's correct
b
No I haven't. I tried https://developer.microsoft.com/en-us/graph/graph-explorer/ but it hasn't been too helpful so far. I'll give postman a shot.
b
Just start by hitting the /me endpoint above
It's the simplest test you can do
takes 30 seconds in postman
image.png
Once you have your JWT (which you can decode in any online JWT viewer) set postman to "bearer token" and paste the full JWT in. Then GET the me endpoint
Of course, in my screenshot, I used a token for a client-app flow and it's complaining that /me only works for a delegated flow, but you get the idea
You can get mail like so
Copy code
<https://graph.microsoft.com/v1.0/users/user%40domain.com/mailfolders/inbox/messages/>
Open in Slack
PreviousNext
Powered by