Search code examples
authorizationoffice365daemonazure-ad-graph-apiboomi

How can a Daemon application with client_credentials authentication obtain delegated permissions from a specific user?

I have written a java program to upload files to Sharepoint in an Office 365 developer tenant where I am an adminstrator. The program authenticates with client_credentials with secret. After Authentication, it does not have an office 365 identity.

The requirement is to upload a file to a specific folder. The user is ready to share their folder, but I can't find a workflow with a daemon application to accomplish this.

Can the admin approve the application to access the user's folder?

In my developer tenant, I have Application Permission of File.ReadWrite.All and the program works fine. However, we will not get approval for Files.ReadWrite.All in production. The question is how can I use Delegated Permissions of File.ReadWrite and authenticate my daemon app so I can upload files to one folder. My application runs on Dell Boomi. Thanks

Solution

  • Firstly, application permission (client_credentials flow) is supported to upload the file to Sharepoint online.

    ClientCredentialProvider authProvider = new ClientCredentialProvider(
                                                    clientId,
                                                    scopes,
                                                    clientSecret,
                                                    tenant,
                                                    endpoint);

IGraphServiceClient graphClient = GraphServiceClient.builder().authenticationProvider(authProvider).buildClient();

byte[] stream = Base64.getDecoder().decode("The contents of the file goes here.");
    graphClient.users("{userId}").drive().items("{item-id}")
    .buildRequest()
    .put(stream);

    But if you cannot grant Application Permission File.ReadWrite.All in the production environment and you cannot implement interactive login in daemon app, you should consider ROPC flow.

    Note there is a warning:

    Microsoft recommends you do not use the ROPC flow. In most scenarios, more secure alternatives are available and recommended. This flow requires a very high degree of trust in the application, and carries risks which are not present in other flows. You should only use this flow when other more secure flows can't be used.

    Please refer to Username/password provider.

    UsernamePasswordProvider authProvider = new UsernamePasswordProvider(
                                                    clientId,
                                                    scopes,
                                                    username,
                                                    password);

IGraphServiceClient graphClient = GraphServiceClient.builder().authenticationProvider(authProvider).buildClient();

byte[] stream = Base64.getDecoder().decode("The contents of the file goes here.");
    graphClient.me().drive().items("{item-id}")
    .buildRequest()
    .put(stream);