Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
In this article, you add app-only authentication to the application you created in Build Go apps with Microsoft Graph and app-only authentication.
The Azure Identity Client Module for Go provides many TokenCredential classes that implement OAuth2 token flows. The Microsoft Graph SDK for Go uses those classes to authenticate calls to Microsoft Graph.
Configure Graph client for app-only authentication
In this section, you use the ClientSecretCredential class to request an access token by using the client credentials flow.
Add the following function to ./graphhelper/graphhelper.go.
func (g *GraphHelper) InitializeGraphForAppAuth() error { clientId := os.Getenv("CLIENT_ID") tenantId := os.Getenv("TENANT_ID") clientSecret := os.Getenv("CLIENT_SECRET") credential, err := azidentity.NewClientSecretCredential(tenantId, clientId, clientSecret, nil) if err != nil { return err } g.clientSecretCredential = credential // Create an auth provider using the credential authProvider, err := auth.NewAzureIdentityAuthenticationProviderWithScopes(g.clientSecretCredential, []string{ "https://graph.microsoft.com/.default", }) if err != nil { return err } // Create a request adapter using the auth provider adapter, err := msgraphsdk.NewGraphRequestAdapter(authProvider) if err != nil { return err } // Create a Graph client using request adapter client := msgraphsdk.NewGraphServiceClient(adapter) g.appClient = client return nil }Tip
If you're using
goimports, some modules might be removed from yourimportstatement in graphhelper.go on save. You might need to add the modules again to build.Replace the empty
initializeGraphfunction in graphapponlytutorial.go with the following.func initializeGraph(graphHelper *graphhelper.GraphHelper) { err := graphHelper.InitializeGraphForAppAuth() if err != nil { log.Panicf("Error initializing Graph for app auth: %v\n", err) } }
This code initializes two properties, a DeviceCodeCredential object and a GraphServiceClient object. The InitializeGraphForUserAuth function creates a new instance of DeviceCodeCredential, then uses that instance to create a new instance of GraphServiceClient. Every time an API call is made to Microsoft Graph through the userClient, it uses the provided credential to get an access token.
Test the ClientSecretCredential
Next, add code to get an access token from the ClientSecretCredential.
Add the following function to ./graphhelper/graphhelper.go.
func (g *GraphHelper) GetAppToken() (*string, error) { token, err := g.clientSecretCredential.GetToken(context.Background(), policy.TokenRequestOptions{ Scopes: []string{ "https://graph.microsoft.com/.default", }, }) if err != nil { return nil, err } return &token.Token, nil }Replace the empty
displayAccessTokenfunction in graphapponlytutorial.go with the following.func displayAccessToken(graphHelper *graphhelper.GraphHelper) { token, err := graphHelper.GetAppToken() if err != nil { log.Panicf("Error getting user token: %v\n", err) } fmt.Printf("App-only token: %s", *token) fmt.Println() }Build and run the app by running
go run graphapponlytutorial. Enter1when prompted for an option. The application displays an access token.Go Graph App-Only Tutorial Please choose one of the following options: 0. Exit 1. Display access token 2. List users 3. Make a Graph call 1 App-only token: eyJ0eXAiOiJKV1QiLCJub25jZSI6IlVDTzRYOWtKYlNLVjVkRzJGenJqd2xvVUcwWS...Tip
For validation and debugging purposes only, you can decode app-only access tokens using Microsoft's online token parser at https://jwt.ms. Parsing your token can be useful if you encounter token errors when calling Microsoft Graph. For example, verifying that the
roleclaim in the token contains the expected Microsoft Graph permission scopes.