Microsoft Graph
A Microsoft programmability model that exposes REST APIs and client libraries to access data on Microsoft 365 services.
13,690 questions
How to perform authorization code flow in my Typescript module with no access to the actual web application source?
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(96, 5%, 19%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ETS%3C/text%3E%3C/svg%3E)
Thakur, Saumya
20
Reputation points
Hello,
So, I wish to include the Authorization Code Flow of Microsoft Graph in my application's module's source code. I went through the reference: https://learn.microsoft.com/en-us/graph/auth-v2-user?tabs=http and I understood the process but the issue is I do not have access to my application's source code (Hence, there is no index.js file to start the application and through which I can define the routes and the APIs). Maybe I am misunderstanding this but I'd really appreciate any help on how to code this whole flow in a few functions (I understand a single function also will not be possible because of the involved callback).
--> I cannot directly write an app.get() API to obtain the code from the redirect URI.
--> I would like to include all the callbacks in those functions itself somehow.
Is this possible? My code currently works with the accessToken obtained from the GraphExplorer. It is hard-coded in the configuration files and the application is working fine with that token. I just need to replace that hard-coded part and include an automated flow to obtain that token. I checked the MSAL library and as far as I could understand, it also will require a callback.
--> My application is actually an MS Teams Bot and I need this token to access the calendar's of other Users in order to perform some scheduling tasks.
--> The development language is TypeScript.
I look forward to the response and would be happy to provide any other details if needed.
Thanks in advance!
@Rukmini please find the question here, thanks!
Microsoft Graph
{count} votes
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(41.6, 77%, 14%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ER%3C/text%3E%3C/svg%3E)
Rukmini 3,421 Reputation points Microsoft External Staff Moderator2025-06-17T04:21:24.44+00:00 Hello Thakur, Saumya,
Since Authorization Code Flow needs access to your application's source code in order to establish a redirect URI (such as /callback) to collect the authorization code once the user logs in, you shouldn't use it directly. This flow is not suitable in your scenario because you do not have access to the backend source code of the application.
Hence, in your case, use the On-Behalf-Of (OBO) flow which is designed when interacting with Microsoft Teams bots.
Refer: Microsoft identity platform and OAuth2.0 On-Behalf-Of flow - Microsoft identity platform | Microsoft
- Use
context.adapter.getUserToken()(or its equivalent in your bot SDK) to ask for a user token from your Teams bot. - Your bot uses the OBO flow to send that user token to Azure AD:
grant_type = urn:ietf:params:oauth:grant-type:jwt-bearer
requested_token_use = on_behalf_of
Include the Teams token as
assertionInclude your bot’s
client_id,client_secret, and Graph API scope (https://graph.microsoft.com/.default)- Now Microsoft Entra ID returns a Graph API access token which bot can access the user's calendar or other Microsoft Graph data.
By doing the above, it does not require browser redirects, route handling, or control over the web app’s startup code.
Let me know if any further queries - feel free to reach out!
Kindly consider upvoting the comment if the information provided is helpful. This can assist other community members in resolving similar issues.
- Use
-
Rukmini 3,421 Reputation points Microsoft External Staff Moderator
2025-06-17T04:39:15.0066667+00:00 Hello Thakur, Saumya, Otherwise, to make it keep simple you can make use of client credential flow.
- Make use of client credential flow, if you don’t need user-specific data (like individual calendar events).
- Need to grant application type API permission to the Microsoft Entra ID application.
Let me know if any further queries - feel free to reach out!
Sign in to comment
Sign in to answer