I'm using React for developing a single page application and AWS Amplify for serverless integration. To Sign-in the user, I have successfully configured the AWS Cognito console with SAML so that our organization users can log in the application without register and can access the AWS resources. We are using Microsoft Azure Ad as the Identity Provider.
Now inside the application, I have to implement a search that can query the Azure AD users using the Microsoft Graph API.
GET https://graph.microsoft.com/v1.0/users?$filter=startswith(displayName,'J')
We have the appropriate permission for accessing the graph. We have the client ID, secret ID & we have enabled implicit grant flow for the App in Azure.
Since I'm using AWS Amplify and Cognito to authenticate the user, I receive IdToken and accessToken when the user login into the application.
const user = await Auth.currentAuthenticatedUser();
const idToken = user.signInUserSession.idToken.jwtToken;
const accessToken = user.signInUserSession.accessToken.jwtToken;
But this id-token and access-token is of Cognito and not of Microsoft Azure AD.
Microsoft provides MSAL.js (for OAuth 2 implicit grant flow) for making graph API calls on SPA but we cannot use that in our application since we are using AWS Amplify (Cognito) for authentication.
So How to make graph calls with the help of AWS Lamda or any other AWS services. It would be really helpful if you recommend any other approach.
The ID token and access token from Cognito don't have access to Microsoft Graph data.
To call Microsoft Graph, your app must acquire an access token from the Microsoft identity platform. The access token contains information about the permissions it has for the resources and APIs available through Microsoft Graph. See auth-concepts.
As juunas suggested, you could implement the Client credentials flow to access Graph resources.