I am following Microsoft documentation in obtaining credentials for Azure Graph API. This document states that an unattended application should use client credentials provider
when making web api calls.
The example in the documents for this is:
final ClientSecretCredential clientSecretCredential = new ClientSecretCredentialBuilder()
.clientId(clientId)
.clientSecret(clientSecret)
.tenantId(tenant)
.build();
List<String> scopes = Arrays.asList("https://graph.microsoft.com/.default");
final TokenCredentialAuthProvider tokenCredentialAuthProvider = new TokenCredentialAuthProvider(scopes, clientSecretCredential);
final GraphServiceClient graphClient =
GraphServiceClient
.builder()
.authenticationProvider(tokenCredentialAuthProvider)
.buildClient();
final User me = graphClient.me().buildRequest().get();
But I encounter an exception on the last line:
Error message: /me request is only valid with delegated authentication flow.
In researching this error, I came across this post that explains the error further - which confuses me as to why the documentation would use what appears to be inappropriate example of how to consume this API. It appears to be delegated permissions authorization code flow
.
This post does not add any clarity.
What is the correct way to make this call? Or is this the result of incorrect configuration settings in Azure management console for the app to use Application permissions instead of Delegated permissions?
- Azure identity = v1.3.1
CodePudding user response:
The documentation is wrong - Omit the last line of the example altogether.
Calls made to API using the use this flow take the form:
graphClient.users("user-id")
instead of:
graphClient.me()
To send an email using credentials provider flow
:
...
graphClient.users("[email protected]")
.sendMail(UserSendMailParameterSet
.newBuilder()
.withMessage(message)
.withSaveToSentItems(saveToSentItems)
.build())
.buildRequest()
.post();
CodePudding user response:
It doesn't make any sense to call /me
with a client credential flow, because there is no /me
there. It's just an automated credential. It doesn't have any user data to fetch.