Which Auth Provider to Employ when using Confidential Client Application .net 7

Question

I am migrating and older app to .net 7 and updating the libraries along the way. I am having one heck of a time figuring out the changes to MSGraph v5.

Googling I found a number of suggestions that I have not been able to work. In my Startup.cs file, I have this:

using Microsoft.Graph;
using Microsoft.Identity.Client;

public static class GraphConfiguration
{ 
    public static IServiceCollection ConfigureGraphComponent(
        this IServiceCollection services, 
        IConfiguration configuration
    )
    {
        var graphConfig = configuration.GetSection("AzureAD");
        var confidentialClientApplication = ConfidentialClientApplicationBuilder
            .Create(graphConfig["ClientId"])
            .WithTenantId(graphConfig["Tenant"])
            .WithClientSecret(graphConfig["ClientSecret"])
            .Build();

        var authenticationProvider = new ??????(confidentialClientApplication);

        // Use a single client instance for the lifetime of the application
        services.AddSingleton(sp => new GraphServiceClient(authenticationProvider));

        return services;
    }
}

I gave the Delegate auth provide a try but it seems like it is no longer avaiable. Any idea which Auth provider I can use? In the code above, I am looking to fix the following line:

var authenticationProvider = new ??????(confidentialClientApplication);

Thanks, E.

Answer 1

I'm using ClientSecretCredential class from Azure.Identity NuGet.

var clientSecretCredentials = new ClientSecretCredential(graphConfig["Tenant"], graphConfig["ClientId"], graphConfig["ClientSecret"]);
services.AddSingleton(sp => new GraphServiceClient(clientSecretCredentials));

Answer 2

when we use MSGraph v5, then the GraphServiceClient are available for these 4 construction methods. And like you can see we only have this method which allows authenticationProvider.

public GraphServiceClient(IAuthenticationProvider authenticationProvider, string baseUrl = null)
    : this((IRequestAdapter)new BaseGraphRequestAdapter(authenticationProvider, graphClientOptions), baseUrl)
{
}

Then let's see the upgrade guidance here.

In place of the DelegateAuthenticationProvider, custom authentication flows can be done creating an implementation of IAccessTokenProvider, and using with the BaseBearerTokenAuthenticationProvider from the Kiota abstractions as follows

We need to implement token provider to use BaseBearerTokenAuthenticationProvider, and I have a test with code below and it really worked but I don't think it matches your requirement..

StringValues authorizationToken;
HttpContext.Request.Headers.TryGetValue("Authorization", out authorizationToken);
string incomingToken = authorizationToken.ToString().Replace("Bearer ", "");
TokenProvider provider = new TokenProvider();
provider.token = incomingToken;
var authenticationProvider = new BaseBearerTokenAuthenticationProvider(provider);
var graphServiceClient = new GraphServiceClient(authenticationProvider);
var user = await graphServiceClient.Users.GetAsync();

public class TokenProvider : IAccessTokenProvider
{
    public string token { get; set; }
    public AllowedHostsValidator AllowedHostsValidator => throw new NotImplementedException();

    public Task<string> GetAuthorizationTokenAsync(Uri uri, Dictionary<string, object>? additionalAuthenticationContext = null, CancellationToken cancellationToken = default)
    {
        return Task.FromResult(token);
    }
}

So my idea is that, if you want to get a auth provider to use, then BaseBearerTokenAuthenticationProvider is the only option for you according to the guidance. If AuthorizationCodeCredential is an option for you, then you might refer to this document to find the suitable one. Or you might to use MSGraph v4 instead of v5 to continue to use DelegateAuthenticationProvider.