2

It appears via the OneDrive API documentation that a user must always "authenticate" using a web-browser to access the OneDrive API. This is not helpful for system accounts. Am I interpreting this correctly? Or is there a way to achieve step one without a browser:

Step 1. Get an authorization code

To start the sign-in process with the code flow, use a web browser or web-browser control to load this URL request.

GET https://login.microsoftonline.com/common/oauth2/v2.0/authorize?client_id={client_id}&scope={scope}
  &response_type=code&redirect_uri={redirect_uri}

https://dev.onedrive.com/auth/graph_oauth.htm#code-flow

tjcinnamon
  • 345
  • 2
  • 7
  • 20

1 Answers1

1

What you're looking for is an App-Only integration. See Get access without a user for details on how this process works.

Keep in mind that there are scope differences between app-only and delegated scenarios. Also, app-only scenarios will require Admin Consent before they can operate against a given tenant (see v2 Endpoint and Admin Consent).

Marc LaFleur
  • 31,987
  • 4
  • 37
  • 63
  • Thanks for responding. I'll look into that asap! – tjcinnamon Jul 07 '17 at 14:27
  • perfect! I have that working. Now I just need to figure out how to to use the access token with one drive. Does this token only work with the graph API or could I use it with this API? https://dev.onedrive.com/resources/drive.htm – tjcinnamon Jul 07 '17 at 15:53
  • I get this error: 10:58:11:000 USER_DEBUG "message": "Resource not found for the segment 'user'.", ->>> Endpoint=https://graph.microsoft.com/v1.0/user/{USER GUID FROM AZURE AD}, Method=GET] – tjcinnamon Jul 07 '17 at 16:00
  • The API is basically the same between OneDrive and Graph but the scopes are not. I would generally recommend sticking with Graph, it is where things are going. – Marc LaFleur Jul 07 '17 at 16:19
  • 1
    That sounds like a different error, could you post that as a separate question? – Marc LaFleur Jul 07 '17 at 16:20
  • Here is the new question: https://stackoverflow.com/questions/44975760/resource-not-found-for-the-segment-user-application-token – tjcinnamon Jul 07 '17 at 16:33
  • is it possible to use the app only integration found in the https://developer.microsoft.com/en-us/graph/docs/concepts/auth_v2_service AND get a refresh token? – tjcinnamon Jul 20 '17 at 21:49
  • 1
    There is no refresh token required when using app only (aka OAUTH client credentials flow). Refresh tokens are only required for delegated (user) scenarios. They're used to keep the user "logged in". Since app only doesn't have a user context, there isn't a token to refresh. – Marc LaFleur Jul 21 '17 at 13:25
  • If I can keep that refresh valid for a year, I could do the browser method, grab the refresh token, and store that in my app. Would that work to use the authorization bearer refresh token from the server? If that works I could use that until the Files.readwrite.all is implemented on the app side – tjcinnamon Jul 21 '17 at 14:21
  • Refresh tokens will last 14 days so you'll need to pull a new refresh token every so often. Keep in mind, you'll need a separate refresh token for each user. Normally you handle this on the server. Users login and make calls to your website, you're website uses that user's bearer token to access Graph and handles refreshing the token as a background job. – Marc LaFleur Jul 21 '17 at 14:31
  • dang! I read somewhere they could last up to a year. I can't find the article (you'd know better than whatever that was). I may be able to use that for testing until that is ready but 14 days would be impractical. – tjcinnamon Jul 21 '17 at 14:39
  • A given token only lives for 14 days but you can always pull an updated token whenever you like. Every time you refresh you get both an fresh access token **and** refresh token. – Marc LaFleur Jul 21 '17 at 15:31
  • To confirm, that's via the browser not server side code – tjcinnamon Jul 21 '17 at 17:16