simonagren · April 6, 2021 16:24 · simonagren · Apr 6, 2021
diff --git a/file.ts b/file.ts
  /**
 * Gets an access token for the user using the on-behalf-of flow
 * @param authHeader - The Authorization header value containing a JWT bearer token
 * @returns {Promise<string | null>} - Returns the access token if successful, null if not
 */
 export async function getAccessTokenOnBehalfOf(req: Request, res: Response): Promise<void> {
  // The token has already been validated, just grab it and the other values from the query string
  const ssoToken: string = req.headers.authorization!.split(' ')[1];
  const clientId: string = req.body.clientId!.toString();
  const graphScopes: string[] = req.body.scopes!.toString().split(',');
  
  // Get tenantId from the SSO Token
  const tenantId: string = jwt_decode<any>(ssoToken).tid;
  const clientSecret: string = process.env.APP_SECRET!;
 
  // Create an MSAL client
  const msalClient = new msal.ConfidentialClientApplication({
    auth: {
      clientId: clientId,
      clientSecret: clientSecret
    }
  });

  try {
    const result = await msalClient.acquireTokenOnBehalfOf({
      authority: `https://login.microsoftonline.com/${tenantId}`,
      oboAssertion: ssoToken,
      scopes: graphScopes,
      skipCache: true
    });
    res.json({ access_token: result?.accessToken });
  } catch (error) {
    if (error.errorCode === 'invalid_grant' || error.errorCode === 'interaction_required') {
      // This is expected if it's the user's first time running the app ( user must consent ) or the admin requires MFA
      res.status(403).json({ error: 'consent_required' }); // This error triggers the consent flow in the client.
    } else {
      // Unknown error
      res.status(500).json({ error: error.message });
    }
  }
	/**
	* Gets an access token for the user using the on-behalf-of flow
	* @param authHeader - The Authorization header value containing a JWT bearer token
	* @returns {Promise<string \| null>} - Returns the access token if successful, null if not
	*/
	export async function getAccessTokenOnBehalfOf(req: Request, res: Response): Promise<void> {
	// The token has already been validated, just grab it and the other values from the query string
	const ssoToken: string = req.headers.authorization!.split(' ')[1];
	const clientId: string = req.body.clientId!.toString();
	const graphScopes: string[] = req.body.scopes!.toString().split(',');

	// Get tenantId from the SSO Token
	const tenantId: string = jwt_decode<any>(ssoToken).tid;
	const clientSecret: string = process.env.APP_SECRET!;

	// Create an MSAL client
	const msalClient = new msal.ConfidentialClientApplication({
	auth: {
	clientId: clientId,
	clientSecret: clientSecret
	}
	});

	try {
	const result = await msalClient.acquireTokenOnBehalfOf({
	authority: `https://login.microsoftonline.com/${tenantId}`,
	oboAssertion: ssoToken,
	scopes: graphScopes,
	skipCache: true
	});
	res.json({ access_token: result?.accessToken });
	} catch (error) {
	if (error.errorCode === 'invalid_grant' \|\| error.errorCode === 'interaction_required') {
	// This is expected if it's the user's first time running the app ( user must consent ) or the admin requires MFA
	res.status(403).json({ error: 'consent_required' }); // This error triggers the consent flow in the client.
	} else {
	// Unknown error
	res.status(500).json({ error: error.message });
	}
	}