Technical Articles
Using Microsoft Graph API with OAuth 2.0 Authorization Code via seperate Node.JS App within Multi Target Application
I. Introduction
The goal of this post is to provide concrete guidance on how to manage access to the Microsoft Graph API within the Cloud Foundry Environment. Furthermore, the post should enable you to retrieve these API calls within a MTA (Multi-Target-Application). The blog post primarily addresses authorization using the OAuth2 Authorization Code Flow.
The following Main Content (section II.) of the post is structured as follows and contains practical examples:
0. Prerequisities
1. Adjust your Multi Target Application
2. Integrate OAuth 2.0 Authorization Code Flow in Node.js
3. Call Microsoft Graph APIs within your Node.js Application
It is followed by a conclusion under section III.
II. Main Content
II.0. Prerequisites
Azure Active Directory
As already described in a previous blogpost, as to be able to connect to the Microsoft Graph API, you need an organizational directory/tenant in Microsoft Azure Active Directory and a user in this directory which has sufficient roles assigned to execute the API queries you want to use.
Detailed information about creating OAuth Client/App in Microsoft Azure Active Directory can be found under the respective header here:
Cloud Integration – Connect to Microsoft 365 Mail with OAuth2 | SAP Blogs
In addition I recommend to go trough the following quickstart tutorial:
Multitarget Application
The skeleton of the multitarget application was based on
(Building multi-target applications (MTA) for Cloud Foundry using your favorite IDE | SAP Blogs).
A detailed description about multitarget application in the SAP BTP, Cloud Foundry environment can be found here:
Multitarget Applications in the Cloud Foundry Environment – SAP Help Portal
IDE
In our Project Visual Studio Code is used with the following CLI:
Node.js/NPM (https://nodejs.org/)
SAP BTP, Cloud Foundry environment
Develop a Node.js App on SAP Cloud Platform | Developer mission
1. Adjust Multitarget Application
First, a Multitarget Application was built and deployed based on the skeleton included in the prerequisites:
In addition, xsuaa service was integrated.
Also, a new route was created within the xs-app.json file.
As soon as a authentication method named via xs-app.json is maintained as “route” is called, xsuaa is used to perform the login to SAP BTP, Cloud Foundry environment which is configured in xs-security.json
Corresponding changes have also been made within the multitarget application descriptor (mta.yaml).
For more information about these concepts please find:
SAP Application Router | SAP Blogs
MTA Deployment Descriptor Syntax – SAP Help Portal
II.2. Integrate OAuth 2.0 Authorization Code in Node.js
The following concepts are based on:
The Microsoft Authentication Library (MSAL) supports several authentication flows for use in different application scenarios.
MSAL authentication flows – Microsoft identity platform | Microsoft Docs
We decided to use the OAuth 2.0. Authorization Code flow.
The following steps needs to be executed as to be able to implement the OAuth 2.0. Authorization Code flow using MSAL library:
Configure the application
Open the index.js file.
Add a config object with details about our app registration and deployment.
The respective variables (clientid, authority, clientSecrect) can be found in your Azure Portal and can be hardcoded afterwards or for example extracted from user-provided variables setup in SAP BTP, Cloud Foundry environment.
If you want to use the environment variables, make sure the mta.yaml file has been adjusted properly:
Initialize MSAL Node at runtime
Make sure that the dependency of MSAL Node is added to our Node.js App.
Initialize the app object within your web app.
Configure Sign In Request
The route that requires the user to log in to the Microsoft account was used. Permissions have been inserted within it. In this example, the user is logged in immediately. The section that relates to the user must be selected. Next, the user is authenticated. In the next step, the authentication code is requested, which can be extracted via the query within the redirect-url.
The code is required to get an access token.
With this access token the respective MS Graph API calls can follow.
Please do not forget to maintain the redirect URL in your Azure Portal.
II.3. Call Microsoft Graph APIs
To do different Microsoft Graph API calls, you can explore the different possibilities in MS Graph Explorer.
A detailed description can be found in the following post under Step 1
Cloud Integration – Call Microsoft Graph API with OAuth 2.0 Authorization Code | SAP Blogs
Additional API calls that are not included in the Graph Explorer can be found here:
Microsoft Graph documentation | Microsoft Docs
To illustrate this in node.js I prepared a small example. This is about downloading a file from a Microsoft Sharepoint folder.
For this we use the accesstoken (described in II.) to access the corresponding Microsoft Graph API. The result here is a link which downloads the files when clicked.
III. Conclusion
After thoroughly elaborating this guide, you should be able to access the Microsoft Graph API within your MTA. If you are interested, I would like to encourage you to follow my post or profile to be informed about further blog posts. Here we could break down the topic and go into more detail on the individual concepts. In general and in this context, feedback is also welcome.
Nice job!