Skip to Content
Technical Articles

Using Microsoft Graph API with OAuth 2.0 Authorization Code via seperate Node.JS App within Multi Target Application

I. Introduction

The goal of this post is to provide concrete guidance on how to manage access to the Microsoft Graph API within the Cloud Foundry Environment. Furthermore, the post should enable you to retrieve these API calls within a MTA (Multi-Target-Application). The blog post primarily addresses authorization using the OAuth2 Authorization Code Flow.

Microsoft identity platform and OAuth 2.0 authorization code flow – Microsoft identity platform | Microsoft Docs

The following Main Content (section II.) of the post is structured as follows and contains practical examples:

0. Prerequisities

1. Adjust your Multi Target Application

2. Integrate OAuth 2.0 Authorization Code Flow in Node.js

3. Call Microsoft Graph APIs within your Node.js Application

It is followed by a conclusion under section III.

 

II. Main Content

II.0. Prerequisites

Azure Active Directory

As already described in a previous blogpost, as to be able to connect to the Microsoft Graph API, you need an organizational directory/tenant in Microsoft Azure Active Directory and a user in this directory which has sufficient roles assigned to execute the API queries you want to use.

Detailed information about creating OAuth Client/App in Microsoft Azure Active Directory can be found under the respective header here:

Cloud Integration – Connect to Microsoft 365 Mail with OAuth2 | SAP Blogs

In addition I recommend to go trough the following quickstart tutorial:

Quickstart: Add Authentication to a Node web app with MSAL Node – Microsoft identity platform | Microsoft Docs

Multitarget Application

The skeleton of the multitarget application was based on

(Building multi-target applications (MTA) for Cloud Foundry using your favorite IDE | SAP Blogs).

A detailed description about multitarget application in the SAP BTP, Cloud Foundry environment can be found here:

Multitarget Applications in the Cloud Foundry Environment – SAP Help Portal

IDE

In our Project Visual Studio Code is used with the following CLI:

Node.js/NPM (https://nodejs.org/)

SAP BTP, Cloud Foundry environment

Develop a Node.js App on SAP Cloud Platform | Developer mission

1. Adjust Multitarget Application

First, a Multitarget Application was built and deployed based on the skeleton included in the prerequisites:

 

In addition, xsuaa service was integrated.

 

Also, a new route was created within the xs-app.json file.

As soon as a authentication method named via xs-app.json is maintained as “route” is called, xsuaa is used to perform the login to SAP BTP, Cloud Foundry environment which is configured in xs-security.json

Corresponding changes have also been made within the multitarget application descriptor (mta.yaml).

For more information about these concepts please find:

SAP Application Router | SAP Blogs

MTA Deployment Descriptor Syntax – SAP Help Portal

II.2. Integrate OAuth 2.0 Authorization Code in Node.js

 

The following concepts are based on:

microsoft-authentication-library-for-js/samples/msal-node-samples/standalone-samples/auth-code at dev · AzureAD/microsoft-authentication-library-for-js (github.com)

The Microsoft Authentication Library (MSAL) supports several authentication flows for use in different application scenarios.

MSAL authentication flows – Microsoft identity platform | Microsoft Docs

We decided to use the OAuth 2.0. Authorization Code flow.

Microsoft identity platform and OAuth 2.0 authorization code flow – Microsoft identity platform | Microsoft Docs

The following steps needs to be executed as to be able to implement the OAuth 2.0. Authorization Code flow using MSAL library:

Configure the application

Open the index.js file.

Add a config  object with details about our app registration and deployment.

The respective variables (clientid, authority, clientSecrect) can be found in your Azure Portal and  can be hardcoded afterwards or for example extracted from user-provided variables  setup in SAP BTP, Cloud Foundry environment.

 

If you want to use the environment variables, make sure the mta.yaml file has been adjusted properly:

Initialize MSAL Node at runtime

Make sure that the dependency of MSAL Node is added to our Node.js App.

Initialize the app object within your web app.

Configure Sign In Request

The route that requires the user to log in to the Microsoft account was used. Permissions have been inserted within it. In this example, the user is logged in immediately. The section that relates to the user must be selected. Next, the user is authenticated. In the next step, the authentication code is requested, which can be extracted via the query within the redirect-url.

The code is required to get an access token.

With this access token the respective MS Graph API calls can follow.

Please do not forget to maintain the redirect URL in your Azure Portal.

 

II.3. Call Microsoft Graph APIs

To do different Microsoft Graph API calls, you can explore the different possibilities in MS Graph Explorer.

A detailed description can be found in the following post under Step 1

Cloud Integration – Call Microsoft Graph API with OAuth 2.0 Authorization Code | SAP Blogs

Additional API calls that are not included in the Graph Explorer can be found here:

Microsoft Graph documentation | Microsoft Docs

To illustrate this in node.js I prepared a small example. This is about downloading a file from a Microsoft Sharepoint folder.

For this we use the accesstoken (described in II.) to access the corresponding Microsoft Graph API. The result here is a link which downloads the files when clicked.

III. Conclusion

After thoroughly elaborating this guide, you should be able to access the Microsoft Graph API within your MTA. If you are interested, I would like to encourage you to follow my post or profile to be informed about further blog posts. Here we could break down the topic and go into more detail on the individual concepts. In general and in this context, feedback is also welcome.

1 Comment
You must be Logged on to comment or reply to a post.