Skip to main content

Office 365 / OneDrive Integration - Microsoft Graph API with OAUTH 2.0 client_credentials grant type

I recently had the opportunity to use Office 365 / OneDrive. I was trying to programmatically save some generated (excel) documents to a folder in SharePoint / OneDrive using a back-end Java utility. Hopefully, this write up captures all of the details of how I was able to accomplish it. 

Overview of Technical Approach

Office 365 and OneDrive provide OAUTH 2.0 enabled APIs for access. In order to use such APIs, applications need to be registered with Azure Management Portal. Once applications are registered, OAUTH 2.0 grant_type of client_credentials can be used to eliminate user consent flow as you can use these APIs programmatically by back-end applications. 
There will be no end-user logging into OneDrive. Here is the documentation provided by OneDrive that talks about how to create and register your application in order to use these APIS. 
Once an application is registered client_id and client_secret are made available to the client applications to use in API execution. Before APIs can be called, JWT access_token needs to be generated. Once a token is generated, it will be used to access APIs. 

Back-end Application Registration in Azure Management Portal

As mentioned above, in order to be able to authenticate with Microsoft APIs, we need to register an application in Azure Management Portal. Registering an application will provide us with application, secret, and key which will be used when we try to generate JWT access tokens. 

Required Back-end Application Permissions

Once the application above was created and registered, it needed to be given permissions to following applications so it can access their APIs.

Microsoft Graph
Read and write files in all site collections
Read files in all site collections
Read user files
Office 365 SharePoint OnlineRead items in all site collections
Read and write items in all site collections 
Read and write user files
Read user files
Windows Azure Active DirectoryNoneSign in and read user profile

How to Generate a JWT Access Token

Once permissions are set up, we can generate a JWT access token. This token then can be used to access Microsoft APIs. Here is a curl statement you can use to generate a token. 

curl -X POST -H "Cache-Control: no-cache" -H "Content-Type: application/x-www-form-urlencoded" -d 'grant_type=client_credentials&client_id=XXXXXX&client_secret=XXXXXXXXXX&redirect_uri=https://backendappuri&resource=https://graph.microsoft.com/' "https://login.microsoftonline.com/azure_domain/oauth2/token"

  1. grant_type=client_credentials
  2. client_id=AS_REGISTERED_ABOVE
  3. client_secret=AS_REGISTERED_ABOVE
  4. redirect_uri=https://backendapplicationuri
  5. resource=https://graph.microsoft.com/ (This is important as rest of the document will be using this API to access OneDrive).
Here is the token that was generated from the above CURL statement. 
{
  "token_type": "Bearer",
  "expires_in": "3600",
  "ext_expires_in": "0",
  "expires_on": "1474314454",
  "not_before": "1474310554",
  "resource": "https://graph.microsoft.com/",
  "access_token": "xtfeyJ0eXAiOiJKV1QiLCJub25jZSI6IkFRQUJBQUFBQUFEUk5ZUlEzZGhSU3JtLTRLLWFkcENKY19KWS1YejhtbXdtTzNwN1V5T0x1V1lNVnVwZVV5Z1hrb3gzLTlrNUdEZExpYjZKR19mX1h1aEJKQU9NRkQ3Q0xmdmtrSFZsN1RyVlEtdm5tTWY2R0NBQSIsImFsZyI6IlJTMjU2IiwieDV0IjoiWWJSQVFSWWNFX21vdFdWSktIcndMQmJkXzlzIiwia2lkIjoiWWJSQVFSWWNFX21vdFdWSktIcndMQmJkXzlzIn0.eyJhdWQiOiJodHRwczovL2dyYXBoLm1pY3Jvc29mdC5jb20vIiwiaXNzIjoiaHR0cHM6Ly9zdHMud2luZG93cy5uZXQvMDU4NGIyYjAtNThhYS00OTNjLTlmZjktMDdlZDk5ZjY3NmFkLyIsImlhdCI6MTQ3NDMxMDU1NCwibmJmIjoxNDc0MzEwNTU0LCJleHAiOjE0NzQzMTQ0NTQsImFwcF9kaXNwbGF5bmFtZSI6IkNyaXRpY2FsX01vbml0b3JfUmVwb3J0aW5nIiwiYXBwaWQiOiIyYWM5YjNhZC1hNWM1LTQwYzgtOGIzOC00ZDRiOWEyZjlkOTMiLCJhcHBpZGFjciI6IjEiLCJpZHAiOiJodHRwczovL3N0cy53aW5kb3dzLm5ldC8wNTg0YjJiMC01OGFhLTQ5M2MtOWZmOS0wN2VkOTlmNjc2YWQvIiwib2lkIjoiZmEyOTlmYTQtMjY3OS00MjM0LTk3MmUtMzM5MTFjYmZkNjliIiwicm9sZXMiOlsiRmlsZXMuUmVhZFdyaXRlLkFsbCIsIkZpbGVzLlJlYWQuQWxsIl0sInN1YiI6ImZhMjk5ZmE0LTI2NzktNDIzNC05NzJlLTMzOTExY2JmZDY5YiIsInRpZCI6IjA1ODRiMmIwLTU4YWEtNDkzYy05ZmY5LTA3ZWQ5OWY2NzZhZCIsInZlciI6IjEuMCJ9.tUAZIfbla9ogzKWTIdTW8gy16kcyBJC03GS6_px-2olCa3Nw0o7CiaedgTKPREqL8mJm1fCHOEEI9doKFvHjcYRzkq75TtYYFAmxRDL-9j9x1l1KV9kWklk7tU11TTsOtMu88xsYvER9R0wS3a5COnoN0E93ysQPjCD1kHQpy2bEq08U-8Dn30OJT-YghP-tGHapvjfcEDlzZaIOzDVV7YBYCy0nKecXZIDsY_YCFsNoAp0UJzmDblLmTZE_SvVP82mDypXpElNeAU9XgT2T2cLrLG-LXd7b3R7YV_IA6i2tJPSxZtSO7HNheBtApRmwXs9jTNodOPDlm3jwTcYECQ"
}

Once the token is generated, you can use it to access Microsoft Graph APIs.

How to Call OneDrive API

Now that we generated a JWT token, we can use it to call OneDrive APIs that are exposed through the graph API. Graph API documentation is located here https://graph.microsoft.io/en-us/docs/api-reference/v1.0/resources/drive.

curl -X GET -H "Authorization: Bearer xtfeyJ0eXAiOiJKV1QiLCJub25jZSI6IkFRQUJBQUFBQUFEUk5ZUlEzZGhSU3JtLTRLLWFkcENKNzlHaW1MNS1PRVRTdE14N3pqNUhxSUFBUUtENkxzemh5Q1lGTzl2dVVvS3g2Qmlsalg5blg1QzdDeEN6TkU4TjdsX0ZHSnJzWFR3R0d2QmNFbm5QMFNBQSIsImFsZyI6IlJTMjU2IiwieDV0IjoiWWJSQVFSWWNFX21vdFdWSktIcndMQmJkXzlzIiwia2lkIjoiWWJSQVFSWWNFX21vdFdWSktIcndMQmJkXzlzIn0.eyJhdWQiOiJodHRwczovL2dyYXBoLm1pY3Jvc29mdC5jb20vIiwiaXNzIjoiaHR0cHM6Ly9zdHMud2luZG93cy5uZXQvMDU4NGIyYjAtNThhYS00OTNjLTlmZjktMDdlZDk5ZjY3NmFkLyIsImlhdCI6MTQ3NDMxMDY5MiwibmJmIjoxNDc0MzEwNjkyLCJleHAiOjE0NzQzMTQ1OTIsImFwcF9kaXNwbGF5bmFtZSI6IkNyaXRpY2FsX01vbml0b3JfUmVwb3J0aW5nIiwiYXBwaWQiOiIyYWM5YjNhZC1hNWM1LTQwYzgtOGIzOC00ZDRiOWEyZjlkOTMiLCJhcHBpZGFjciI6IjEiLCJpZHAiOiJodHRwczovL3N0cy53aW5kb3dzLm5ldC8wNTg0YjJiMC01OGFhLTQ5M2MtOWZmOS0wN2VkOTlmNjc2YWQvIiwib2lkIjoiZmEyOTlmYTQtMjY3OS00MjM0LTk3MmUtMzM5MTFjYmZkNjliIiwicm9sZXMiOlsiRmlsZXMuUmVhZFdyaXRlLkFsbCIsIkZpbGVzLlJlYWQuQWxsIl0sInN1YiI6ImZhMjk5ZmE0LTI2NzktNDIzNC05NzJlLTMzOTExY2JmZDY5YiIsInRpZCI6IjA1ODRiMmIwLTU4YWEtNDkzYy05ZmY5LTA3ZWQ5OWY2NzZhZCIsInZlciI6IjEuMCJ9.pguHttYn2q3p-B6Fj9CcyDk8PteR5qT9ZPU8-k9HgGHNKi1BMBEbSx1_dpVAeE4kWZxFkhWy9jwZDoiWyno5C9sA49Oz5VXmtgT4fY54lOmmqxNTegPwqvlf3RuMCIUr_5K2xrHwig8F1xt0epY07Y00d79AxX4bW2yoSqbj-ZkMpLPTNM83E85guj9Z9QOmGw23rrkjiTHgqUyt6CmyCx8FUSjxjQgv8ePxbxauwC39sMYk0MtWcSIT9H0hSEZxUl26mawjqcNYQD3bTSdfV4UXBhAJR7au_xo_8gxlnOnNqv49bs306KO-T1XS47g6CzSJfpWHuiQ7sfQIOolRvQ" -H "Cache-Control: no-cache" -H "Postman-Token: 012533fd-5e07-50ba-0eec-ced344d80d0b" "https://graph.microsoft.com/v1.0/drives/_DRIVE_ID/root/children

In the curl statement above, following endpoint was used https://graph.microsoft.com/v1.0/drives/_DRIVE_ID/root/children. This uses a specific drive_id to list the children of the root directory. 

Comments