Feature request: allow GraphServiceClient to accept an access token instead of an authentication provider

[meyerovb]

So, after a week of pulling my hair out, I’ve learned this:

set up an app service with integrated easy auth

the Java web app hosted in it doesn’t do any authentication itself, the user is authenticated first and dumped into the app

What the app does have is a request header X-MS-TOKEN-AAD-ACCESS-TOKEN, and in that header is a nice token

that magical token can then be used to call the graph api directly, “Bearer “ + request.getHeader(X-MS-…) But it can only be used for the oidc/userinfo endpoint, NOT the me endpoint

Now if you do this step you can now use it for the me endpoint.

So if in the above linked step you give app service easy auth the scope https://sql.azuresynapse-dogfood.net/user_impersonation instead of https://graph.microsoft.com/User.Read (you can’t use both) you can use the X-MS… header directly with Java class SQLServerDataSource.setAccessToken and query the db as your logged in user (hooray row level security)

BUT that token cannot be passed to MSAL to be converted into anything. It’s already been converted (hence me banging my head against the wall for a week until I realized this). so you can’t use any of the authenticationProviders this client supports.

my feature request: Instead of GraphServiceClient.authenticationProvider let me use GraphServiceClient.accessToken

ok, I’m done now

[baywet]

Thanks for the exhaustive context. Is there any specific reason why you cannot simply implement the iauthenticationprovider interface with a class that accepts the access token in its constructor, sets the value as a field and uses that field in the implemented method?

Relying on a "static" access token value is generally a bad idea, it might not be stored securely, and there is no way for the application to recover from an authorization challenge. This is why we generally discourage it except in very specific cases.

[meyerovb]

So SQLServerDataSource/mssql-jdbc is a “very specific case”? Honestly I need sql not graph, but graph was what the tutorial on easy auth was written for so that’s the rabbit hole I went down. If the graph client accepted a token like the sql client did it woulda saved me some time trying to figure out wth was going on.

[baywet]

How are your client applications authenticating to you have web application? If they are using oauth, you don't need easy auth, you can simply use the on behalf authentication credential.
https://learn.microsoft.com/en-ca/java/api/com.azure.identity.onbehalfofcredential?view=azure-java-stable

[meyerovb]

Azure app service easy auth. I have 0 authentication code in my webapp. All I have is the finished token limited to a single external scope. I need sql, so even if I actually wanted to use graph too I couldn’t without turning off easy auth and implementing authentication within the webapp.