0

I'm working on a .NET 6.0 MVC app and trying to implement a function to send emails using Microsoft Graph. The app is used internally at my company and is using Windows Authentication. I don't have any experience with the "nitty gritty" of authentication. I have implemented a solution for Microsoft Graph found at the following link that seems to be close to working except I receive an error that "The token contains no permissions, or permissions can not be understood": How to send email from any one email using Microsoft Graph

My Azure AD admin doesn't really have any experience with setting this kind of thing up, so the Mail.Send permissions may not be correct, and I'd like to check the token. However, I can't seem to figure out how to get it so I can enter it into jwt.ms/jwt.io. This is what I've tried so far, but I'm getting the error

Access to XMLHttpRequest at 'https://login.microsoftonline.com/TENANTNAME.onmicrosoft.com/common/oauth2/v2.0/token' from origin 'http://localhost:XXXXX' has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource.

var token;

function requestToken() {

$.ajax({
    "async": true,
    "crossDomain": true,
    "url": "https://login.microsoftonline.com/TENANTNAME.onmicrosoft.com/common/oauth2/v2.0/token",     
    "method": "POST",
    "headers": {
        "content-type": "application/x-www-form-urlencoded"
    },
    "data": {
        "grant_type": "client_credentials",
        "client_id ": "IDHERE",     
        "client_secret": "SECRETHERE", 
        "scope ": "https://graph.microsoft.com/.default"
    },
    success: function (response) {
        console.log(response);
        token = response.access_token;
        document.getElementById('content').innerHTML = token;
    }

})

Am I on the right track at all for implementing Graph with Windows Authentication, and if so, how can I get this token in order to check it? Thanks!

matthew_b
  • 739
  • 1
  • 7
  • 18
  • need to use msal to avoid cors policy, you can't send ajax request to that url to generate token. see my [this answer](https://stackoverflow.com/a/70575713/15581227) may help you generate access token. – Tiny Wang Apr 12 '22 at 08:06
  • @TinyWang When I try this, I get another error attempting to get the token: "ClientAuthError: User login is required. For silent calls, request must contain either sid or login_hint". I tried using the signIn function included, but that also results in an error ("response_type 'id_token' is not enabled for the application."). In order for this to work, do I need be using something other that Windows Authentication? – matthew_b Apr 13 '22 at 18:52
  • `response_type 'id_token' is not enabled for the application` maybe you need to go to azure portal->azure ad->your application->Authentication-> pick ID tokens and access tokens then click save. – Tiny Wang Apr 14 '22 at 01:26
  • @TinyWang That worked. I got the token now. I see `"scp": "Mail.Send User.Read profile openid email"` in there, but I still can't send email. I got added as owner of the app and can make some changes to it now in Azure AD, so hopefully that means things can move faster than before. – matthew_b Apr 18 '22 at 19:29

0 Answers0