Content
View differences
Updated by Marcello Rocha Pereira over 2 years ago
**Microsoft** uses a 2-legged OAuth authentication to allow "user-less" operations.
The way that [it works](https://learn.microsoft.com/en-us/graph/auth-v2-service?context=graph%2Fapi%2F1.0&view=graph-rest-1.0&tabs=http) is by, first the necessary permissions need to be set. To do so, a new permissions needs to be added as an `Application Permission`.
<figure class="image op-uc-figure" style="width:587px;"><div class="op-uc-figure--content"><img class="op-uc-image" src="/api/v3/attachments/81659/content"></div><figcaption class="op-uc-figure--description">Application Permission toggle on the top of the Permission Grants screen</figcaption></figure>
`Application Permissions` need to be authorized by an **admin**. This can be required directly on the Azure interface.
<figure class="image op-uc-figure" style="width:587px;"><div class="op-uc-figure--content"><img class="op-uc-image" src="/api/v3/attachments/81660/content"></div><figcaption class="op-uc-figure--description">Admin Grants request on the Permissions screen</figcaption></figure>
After the admin has Granted the Authorization, the App can request an authentication token using the already know (by OpenProject) URL but with a grant type of `client_credentials`
```http
POST https://login.microsoftonline.com/{tenant}/oauth2/v2.0/token HTTP/1.1
Host: login.microsoftonline.com
Content-Type: application/x-www-form-urlencoded
client_id=535fb089-9ff3-47b6-9bfb-4f1264799865
&scope=https%3A%2F%2Fgraph.microsoft.com%2F.default
&client_secret=qWgdYAmab0YSkuL1qKv5bPX
&grant_type=client_credentials
```
The returned Bearer token has a duration of 1 hour. There's not refresh mechanism for this token, needing a new token to be issued.
The way that [it works](https://learn.microsoft.com/en-us/graph/auth-v2-service?context=graph%2Fapi%2F1.0&view=graph-rest-1.0&tabs=http) is by, first the necessary permissions need to be set. To do so, a new permissions needs to be added as an `Application Permission`.
<figure class="image op-uc-figure" style="width:587px;"><div class="op-uc-figure--content"><img class="op-uc-image" src="/api/v3/attachments/81659/content"></div><figcaption class="op-uc-figure--description">Application Permission toggle on the top of the Permission Grants screen</figcaption></figure>
`Application Permissions` need to be authorized by an **admin**. This can be required directly on the Azure interface.
<figure class="image op-uc-figure" style="width:587px;"><div class="op-uc-figure--content"><img class="op-uc-image" src="/api/v3/attachments/81660/content"></div><figcaption class="op-uc-figure--description">Admin Grants request on the Permissions screen</figcaption></figure>
After the admin has Granted the Authorization, the App can request an authentication token using the already know (by OpenProject) URL but with a grant type of `client_credentials`
```http
POST https://login.microsoftonline.com/{tenant}/oauth2/v2.0/token HTTP/1.1
Host: login.microsoftonline.com
Content-Type: application/x-www-form-urlencoded
client_id=535fb089-9ff3-47b6-9bfb-4f1264799865
&scope=https%3A%2F%2Fgraph.microsoft.com%2F.default
&client_secret=qWgdYAmab0YSkuL1qKv5bPX
&grant_type=client_credentials
```
The returned Bearer token has a duration of 1 hour. There's not refresh mechanism for this token, needing a new token to be issued.