Hello all,
I am currently changing the underlying infrastructure of a CAP / UI5 application that used the node package "passport" for authentication and authorization with the passport-azure-ad-oauth2 flow. With this token I could use the Microsoft Graph API to send an E-Mail as the current user (which is a needed feature).
Now the infrastructure changed. I now use an approuter with a XSUAA instance for authentication with a route to the underlying CAP application. Additionally, Azure was configured as identity provider instead of the default identity provider.
With this setup the token acquired after a successful login does not suffice / work for neither direct usage of the Microsoft Graph API or generating a new token using the "onBehalfOf"-Functionality of the "@azure/msal-node"-Package.
So far I have tried:
- Adding "foreign-scope-references": ["$ACCEPT_GRANTED_SCOPES"]
- Adding "Mail.send" explicitly as scope within the xs-security.json
- Many variations of the features the @azure/msal-node package provides using the current token or a new one based off of it
I want to use the currently signed in user to send the mail and avoid further authorization flows done by the user. I would consider using a technical user as fallback option if required.
If anyone has any ideas on how to solve this issues or had similar use-cases in the past, I am grateful for any information or approach.
I'll gladly provide further information if needed.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.