Accessing Microsoft Graph API without using login page
I would like to access a user's one drive to upload a document or retrieve a document using Graph API. I've seen multiple examples over the net which requires using the standard login page for the user to login. You need to get the authorization code from the login page and then use it to get a token, which finally can be used to access a resource like drive.
Am looking for a way to do this without going through the login page. I can have my own login page where I can request user to login.
In short, I want to access drive resource of Graph API using a REST client like Postman (right from authorization to accessing the resource). Is this possible?
Answer
Yes, it is possible if you have the right information - all you need to do is to get a delegated access token.
Explanation:
When dealing with access to resources, Microsoft Graph has two levels of access token requirements:
- Most methods support Application only tokens, meaning once an OAuth app has consent it can access the resource whenever it wants.
- But for some methods, it is not enough (they are too sensitive for an automated process) and require a Delegated token, meaning token which contains both a valid Client and User. You can see in each method documentation which token it requires.
Normally delegated access tokens are the result of the two major OAuth flows which require user interaction (Authorization Code Grant and Implicit Grant) but you can also get them from two other flows: Resource Owner Credentials Grant and On-Behalf-Of Grant, which are both supported by Microsoft.
For a full guide on how to setup everything you need in order to use those flows (including Postman examples) you can look at my article:
Getting Access Token for Microsoft Graph Using OAuth REST API