1

I am developing an Azure static web app using authentication and authorization for Azure Static Web Apps.

This part works very well, my routes are secured via Azure AD and are only usable for authenticated users. Via the /.auth/me route I can also access the user information (e.g. the user name) in order to show it as "logged in user".

What I want to do now in addition is to access the user's profile photo - the only way to do that (as far as I understood) is to get it from Microsoft Graph - Get profilePhoto.
That API however requires an OAuth2.0 access token.

This access token however is not accessible in the Azure Static Web App, using the built-in "authentication and authorization" mechanism linked above.

How can my application now authenticate at the "Microsoft Graph" API without the need of initiating an additional OAuth2.0 code flow (just for getting the profile photo)?
Is the access_token e.g. accessible anywhere (in frontend or backend of the Azure SWA)?

Thomas Jäckle
  • 1,123
  • 2
  • 7
  • 21
  • I recommend you using [custom authentication](https://learn.microsoft.com/en-us/azure/static-web-apps/authentication-custom?tabs=aad) for your static app with Azure AD to integrate the ability to call ms graph api. – Tiny Wang Dec 02 '22 at 09:51
  • @TinyWang what difference would this make? I would still not be able to access the access_token in order to do the MS Graph call or would I? – Thomas Jäckle Dec 02 '22 at 10:54
  • per my understanding, we require access token to call graph api, to get access token, we need to integrate MSAL(microsoft authentication library, e.g. msal.js for javascript) into your static web app so that you can sign in(authentication) and generate access token(authorization). I'm not familiar with authentication for Azure static web app but it looks like integrating identity platform(aad, github, twitter) as well but only provide with you some basic api which doesn't including all the information. So to get complete usage for graph api, – Tiny Wang Dec 02 '22 at 11:25
  • I think it's better to use custom authentication to integrate AAD into your app so that you can call graph api. – Tiny Wang Dec 02 '22 at 11:26
  • I have a sample in [this answer](https://stackoverflow.com/a/65350674/14574199) which is about how to integrate msal in javascript and call ms graph api – Tiny Wang Dec 02 '22 at 11:30
  • 1
    Ok, understood. Thank you for the answer. That however will harm one of the main benefits of Azure SWA, to configure authentication and authorization completely in its "staticwebapp.config.json" without having to do anything with a separate library, OAuth redirects, etc. That's probably not worth it for my use case.. Suggestions from the Azure SWA team on this would be highly welcome. – Thomas Jäckle Dec 02 '22 at 12:01
  • 2
    I saw that this is a known issue to Azure Static Web Apps that the access token is not revealed: https://github.com/Azure/static-web-apps/issues/794 – Thomas Jäckle Dec 02 '22 at 12:53

0 Answers0