Issue while using com.microsoft.graph.requests.GraphServiceClient with Client credentials provider of azure identity

Question

I'm trying upload and list the files from share point to using Graph Client of Microsoft. I followed the below documentation to do it.

Documentation URL https://learn.microsoft.com/en-us/graph/sdks/choose-authentication-providers?tabs=Java

Here is my code sample and exception logs.

Code:

ClientSecretCredential clientSecretCredential = new ClientSecretCredentialBuilder()
              .clientId("CLIENT_ID")
              .clientSecret("CLIENT_SECRET")
              .tenantId("TENANT_ID")
              .build();

TokenCredentialAuthProvider tokenCredentialAuthProvider = new TokenCredentialAuthProvider(Arrays.asList("https://graph.microsoft.com/offline_access",
               "https://graph.microsoft.com/Files.ReadWrite.All","https://graph.microsoft.com/Sites.Manage.All"),
               clientSecretCredential);
GraphServiceClient graphClient =
              GraphServiceClient
                      .builder()
                      .authenticationProvider(tokenCredentialAuthProvider)
                      .buildClient();
DriveItemCollectionPage driveCollectionPage = graphClient.sites("SITE_ID")
              .drive().items("ITEM_ID").children().buildRequest().get();

Exception Log:

Caused by: java.lang.NoSuchMethodError: 'com.microsoft.aad.msal4j.ConfidentialClientApplication$Builder com.microsoft.aad.msal4j.ConfidentialClientApplication$Builder.sendX5c(boolean)'
at com.azure.identity.implementation.IdentityClient.lambda$getConfidentialClientApplication$5(IdentityClient.java:233)
at reactor.core.publisher.MonoDefer.subscribe(MonoDefer.java:44)
at reactor.core.publisher.MonoCacheTime.subscribeOrReturn(MonoCacheTime.java:143)
at reactor.core.publisher.Mono.subscribe(Mono.java:4385)
at reactor.core.publisher.Mono.subscribeWith(Mono.java:4515)
at reactor.core.publisher.Mono.toFuture(Mono.java:4920)
at com.microsoft.graph.authentication.TokenCredentialAuthProvider.getAuthorizationTokenAsync(TokenCredentialAuthProvider.java:58)
at com.microsoft.graph.httpcore.AuthenticationHandler.intercept(AuthenticationHandler.java:54)
at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.kt:109)
at com.microsoft.graph.httpcore.TelemetryHandler.intercept(TelemetryHandler.java:69)
at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.kt:109)
at okhttp3.internal.connection.RealCall.getResponseWithInterceptorChain$okhttp(RealCall.kt:201)
at okhttp3.internal.connection.RealCall.execute(RealCall.kt:154)
at com.microsoft.graph.http.CoreHttpProvider.sendRequestInternal(CoreHttpProvider.java:408)
at com.microsoft.graph.http.CoreHttpProvider.send(CoreHttpProvider.java:226)
at com.microsoft.graph.http.CoreHttpProvider.send(CoreHttpProvider.java:203)
at com.microsoft.graph.http.BaseCollectionRequest.send(BaseCollectionRequest.java:103)
at com.microsoft.graph.http.BaseEntityCollectionRequest.get(BaseEntityCollectionRequest.java:78)

Can someone please help me to solve the issue?

Answer 1

I fixed the above issue. By adding below dependency in pom file.

<dependency>
    <groupId>com.microsoft.azure</groupId>
    <artifactId>msal4j</artifactId>
    <version>1.11.2</version>
</dependency>

Now I'm facing issue with scope. Getting below Error for mentioned scopes (offline_access, Files.ReadWrite.All,Sites.Manage.All).

com.microsoft.aad.msal4j.MsalServiceException: AADSTS1002012: The provided value for scope Sites.Manage.All Files.ReadWrite.All openid profile offline_access is not valid. Client credential flows must have a scope value with /.default suffixed to the resource identifier (application ID URI).

If I add /.default scope then token generating but getting 403 Forbidden. Here is my app permissions.

Can some please guide me, where I'm missing the logic here?

Answer 2

Using the client credentials flow, requires you to have executed the admin consent.

If you done the admin consent, you can change the scope to be https://graph.microsoft.com/.default and nothing else. The resulting token will have all the application permissions you granted to the application.

Check out the documentation on the client credentials flow, https://learn.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-client-creds-grant-flow