Crate graph_oauth
source ·Expand description
§Microsoft Identity Platform Client
Support For OAuth 2.0 and OpenId authorization flows from the Microsoft Identity Platform.
Part of the graph-rs-sdk project on GitHub
§Example ConfidentialClientApplication Authorization Code Flow
use url::Url;
use graph_oauth::{AuthorizationCodeCredential, ConfidentialClientApplication};
pub fn authorization_url(client_id: &str) -> anyhow::Result<Url> {
Ok(ConfidentialClientApplication::builder(client_id)
.auth_code_url_builder()
.with_redirect_uri(Url::parse("http://localhost:8000/redirect")?)
.with_scope(vec!["user.read"])
.url()?)
}
pub fn get_confidential_client(authorization_code: &str, client_id: &str, client_secret: &str) -> anyhow::Result<ConfidentialClientApplication<AuthorizationCodeCredential>> {
Ok(ConfidentialClientApplication::builder(client_id)
.with_auth_code(authorization_code)
.with_client_secret(client_secret)
.with_scope(vec!["user.read"])
.with_redirect_uri(Url::parse("http://localhost:8000/redirect")?)
.build())
}
§Supported Authorization Flows From The Microsoft Identity Platform
Modules§
Structs§
- Application Options typically stored as JSON file in .net applications.
- Get the authorization url required to perform the initial authorization and redirect in the authorization code flow.
- Authorization Code Using An Assertion
- The OAuth 2.0 authorization code grant type, or auth code flow, enables a client application to obtain authorized access to protected resources like web APIs. The auth code flow requires a user-agent that supports redirection from the authorization server (the Microsoft identity platform) back to your application. For example, a web browser, desktop, or mobile application operated by a user to sign in to your app and access their data. https://learn.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-auth-code-flow’
- The OAuth 2.0 authorization code grant type, or auth code flow, enables a client application to obtain authorized access to protected resources like web APIs. The auth code flow requires a user-agent that supports redirection from the authorization server (the Microsoft identity platform) back to your application. For example, a web browser, desktop, or mobile application operated by a user to sign in to your app and access their data. https://learn.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-auth-code-flow
- Client Credentials Using an Assertion.
- Client Credentials Using A Certificate
- Client Credentials flow using a client secret.
- Clients capable of maintaining the confidentiality of their credentials (e.g., client implemented on a secure server with restricted access to the client credentials), or capable of secure client authentication using other means.
- The Device Authorization Response: the authorization server generates a unique device verification code and an end-user code that are valid for a limited time and includes them in the HTTP response body using the “application/json” format [RFC8259] with a 200 (OK) status code
- The device authorization grant: allows users to sign in to input-constrained devices such as a smart TV, IoT device, or a printer. To enable this flow, the device has the user visit a webpage in a browser on another device to sign in. Once the user signs in, the device is able to get access tokens and refresh tokens as needed.
- A basic JWT header, the alg defaults to HS256 and typ is automatically set to
JWT
. All the other fields are optional. - ID tokens are sent to the client application as part of an OpenID Connect flow. They can be sent alongside or instead of an access token. ID tokens are used by the client to authenticate the user. To learn more about how the Microsoft identity platform issues ID tokens, see ID tokens in the Microsoft identity platform.
- OpenID Connect (OIDC) extends the OAuth 2.0 authorization protocol for use as an additional authentication protocol. You can use OIDC to enable single sign-on (SSO) between your OAuth-enabled applications by using a security token called an ID token. https://learn.microsoft.com/en-us/azure/active-directory/develop/v2-protocols-oidc
- OpenID Connect (OIDC) extends the OAuth 2.0 authorization protocol for use as an additional authentication protocol. You can use OIDC to enable single sign-on (SSO) between your OAuth-enabled applications by using a security token called an ID token. https://learn.microsoft.com/en-us/azure/active-directory/develop/v2-protocols-oidc
- Clients incapable of maintaining the confidentiality of their credentials (e.g., clients executing on the device used by the resource owner, such as an installed native application or a web browser-based application), and incapable of secure client authentication via any other means.
- Allows an application to sign in the user by directly handling their password. Not recommended. ROPC can also be done using a client secret or assertion, however this client implementation does not offer this use case. This is the same as all MSAL clients. https://datatracker.ietf.org/doc/html/rfc6749#section-1.3.3
- An access token is a security token issued by an authorization server as part of an OAuth 2.0 flow. It contains information about the user and the resource for which the token is intended. The information can be used to access web APIs and other protected resources. Resources validate access tokens to grant access to a client application. For more information, see Access tokens in the Microsoft Identity Platform
- The return type of a successful call to decode.
Enums§
- Specifies which Microsoft accounts can be used for sign-in with a given application. See https://aka.ms/msal-net-application-configuration
- Specifies which Microsoft accounts can be used for sign-in with a given application. See https://aka.ms/msal-net-application-configuration
- The specification defines errors here: https://datatracker.ietf.org/doc/html/draft-ietf-oauth-v2-31#section-4.2.2.1
- STS instance (for instance https://login.microsoftonline.com for the Azure public cloud). Maps to the instance url string.
- Response types used when polling for a device code https://datatracker.ietf.org/doc/html/rfc8628#section-3.5
- Indicates the type of user interaction that is required. Valid values are login, none, consent, and select_account.
- Specifies how the identity platform should return the requested token to your app.