NAME
OAuth::Cmdline::MicrosoftOnline - Microsoft Online-specific settings for OAuth::Cmdline
VERSION
version 0.07
SYNOPSIS
my $oauth = OAuth::Cmdline::MicrosoftOnline->new(
resource => "https://graph.microsoft.com",
# ...
);
$oauth->access_token();
DESCRIPTION
This class overrides methods of OAuth::Cmdline
if Microsoft Online's Web API requires it.
The parameter 'resource' is mandatory, and is poorly described at https://msdn.microsoft.com/en-us/library/azure/dn645542.aspx. It tells the OAuth API what protected resource you are trying to access. For example, to access Azure Graph (to manage user accounts in Azure AD etc.), the correct resource URI is https://graph.microsoft.com
. A URI does not have to be a URL, but Microsoft choose to use URLs for their URIs, so if you are trying to access a different endpoint protected by the Microsoft Online OAuth system, then it will probably look like a URL.
To use this module with Azure AD:
Make a copy of eg/microsoft-online-token-init somewhere else. You will modify this file in the following steps.
Sign up for a free Azure account as though you were going to deploy some infrastructure. This creates a free Azure Active Directory in your Azure tenant.
In the Azure portal, go to Default Directory App registrations>
Click New registration. Set the Name to whatever you like, and select Accounts in this organizational directory only (Default Directory only - Single tenant). Set the Redirect URI to http://localhost:8082/callback. Then click Register at the bottom.
A new page showing the new application is shown. On the Overview page that is showing, under Essentials, you should see the Application (client) ID (a UUID). Copy it and then paste it into microsoft-online-token-init in client_id.
Still on the same page, click the Endpoints button at the top. Copy the OAuth 2.0 authorization endpoint (v1) into microsoft-online-token-init as login_uri. Copy the OAuth 2.0 token endpoint (v1) into microsoft-online-token-init as token_uri.
Click Certificates & secrets on the left, then New client secret.
After naming and saving your secret, take the Value and put it in microsoft-online-token-init as client_secret.
Click API permissions on the left, then Add a permission. Click the Microsoft Graph tile, then Delegated permissions. Check the box Directory Directory.Read.All> then Add permission at the bottom.
The new permission is added to the list, but now you have to click Grant admin consent for Default Directory and Yes. Anyone who gets hold of this client secret can now read data in the directory. These are the permissions you need to run the example code in eg/microsoft-online-users. You can revoke them later after testing.
Run microsoft-online-token-init in a terminal and then go to http://localhost:8082 in a local browser.
Follow the link. Sign into Microsoft with the same account used with Azure portal, and Accept the Permissions requested.
Your web service will retrieve the tokens and store them. You can then use
$oauth->access_token()
to get an access token to carry out calls against the Azure Graph API as shown in eg/microsoft-online-users.
Example code is in the eg folder
AUTHOR
Mike Schilli <cpan@perlmeister.com>
COPYRIGHT AND LICENSE
This software is copyright (c) 2022 by Mike Schilli.
This is free software; you can redistribute it and/or modify it under the same terms as the Perl 5 programming language system itself.