I am able to access resources from Microsoft Graph using Get access without user. However, this method does not allow me to access resources which require delegated permissions.
I also tried to use the Get access on behalf of a user method, but it will require my user to sign in through a webpage, which is not desired in my scenario.
Is it possible to generate an authorization code with a long life time (possibly over a year) and use that code to request an access token, which can then be used to get resources that require delegated permissions?
Note: I know generating an authorization code with such a long life time is not a good idea, but this code will be used by the back-end program to access resources and not the user. So I do not want the user sign in page to pop up. Looking to implement this in Java.
Thanks!
In order to use delegated permission, the end user needs to sign in interactively through an OAuth2.0 flow.
Now, you can use a user's creds with the Resource Owner Credentials Flow which is simply posting the username/password to Azure AD and getting tokens back. This path is not recommended as it's brittle (For example, MFA will not work) and requires your app to manage the user's credentials.
Your best bet is to create some kind of sign in experience for your users that allows them to sign in and consent to your application. Refresh tokens in Azure AD have a lifetime of until-revoked meaning they can last as long as a year if not longer. The bottleneck you'll hit is the end user's password expiring which would lead them to need to sign in again.
For some help with this, Azure AD has an ADAL4j library you can use. I've also written a small Spring MVC Java code sample for the Azure AD v2.0 endpoint (Microsoft Accounts + Azure AD Accounts) that uses a 3rd party library.
来源:https://stackoverflow.com/questions/45823913/microsoft-graph-authentication-delegated-permission