function requestToken() {
$.ajax({
"async": true,
"crossDomain": true,
"url": endpointUrl, // Pass your tenant name instead of sharepointtechie
"method": "POST",
"headers": {
"content-type": "application/x-www-form-urlencoded"
},
"data": {
"grant_type": "password",
"client_id ": clientId, //Provide your app id
"client_secret": clientSecret,
"scope ": "https://graph.microsoft.com/.default",
"userName": "xxxxxxxxx",
"password": "xxxxxxxx",
"redirect_uri" : "xxxxxxx"
},
success: function (response) {
console.log(response);
token = response.access_token;
$.ajax({
url: 'xxxxxx',
type: 'GET',
dataType: 'json',
beforeSend: function (xhr) {
xhr.setRequestHeader('Authorization', 'Bearer ' + token + '');
},
data: {},
success: function (results) {
console.log(results);
debugger;
},
error: function (error) {
console.log("Error in getting data: " + error);
}
});
}
})
}
I am meant to be making a request to the MS Graph Api in order to get cell and row data from an excel spreadsheet hosted on OneDrive.
That is all well and good, however I was wondering what would be the best practice in completing this problem.
I can write an AJAX request using the client-id and client-secret to authenticate the use, however this would then expose those credentials to the clients browser.
How could I still make the request to the API but keep the app credentials safe.
Cheers, Josh
Client-side requests from the browser wouldn't use a client secret, and instead would use the implicit grant flow. You can read all the details of how that flow works at that link.
MSAL.js makes this easy to implement, and they have a number of samples in their repository.
Thanks Jason! Am I able to sign users in on behalf of another user using that implicit grant flow?
I'm not sure I follow. You can't sign a user in as another user in any flow, meaning User A can't sign in and act as User B.