[Question] Programmatic Authentication with Delegated Permissions in Hamilton Go

[ch3ck]

Hi @manicminer,

Firstly, great work on the Hamilton package! It's much more lightweight compared to the official Microsoft Graph SDK, which is exactly what I was looking for. I have a couple of questions regarding authentication:

• How can I authenticate programmatically with specified scopes?
• How can I use user credentials for authentication, given that some operations require delegated permissions (using device code authentication) rather than application permissions (client/client_secret authentication)?
• I'm particularly interested in finding a clean way to programmatically authenticate with delegated permissions. Is there a method or may be would recommend using a service principal instead?

For context, here's the error I'm currently encountering:

"xyz.go:81","msg":"API requires one of 'ChannelMessage.Read.All, ChannelMessage.Read.Group'. Roles on the request ''. Resource specific consent grants on the request",

Any guidance or pointers would be greatly appreciated! 🤞

[manicminer]

Hi @ch3ck, thanks for the kind words. As per my other message, please look at the HashiCorp Microsoft Graph SDK since this project has now been deprecated. That SDK shares a lot of the same patterns from here, and uses the same helper packages for authentication etc.

With the MS Identity platform, you don't need to specify the scopes you want when obtaining an access token, you specify https://graph.microsoft.com/.default and you'll get a token containing all the scopes you have been granted, for the application you're using. That last part is somewhat of a sticking point when using existing tools like Azure CLI to handle the delegated auth workflow for you, since it will only return the scopes it has in its manifest, which are likely a subset of what you want. To get around this, you'd need to register your own Azure AD application, and write it, to handle the delegated login flow for you.

The SDK auth package github.com/hashicorp/go-azure-sdk/sdk/auth does have support for invoking Azure CLI to grab an access token for the logged in user, but it suffers from the above issue where only a subset of scopes are going to be present in the token. For full functionality, you'll currently need to use the application flow, where you authenticate as a service principal using application credentials, and then you can use app roles (or sometimes directory roles held by your service principal) to confer the permissions you need.

The final challenge with all this, is that some APIs only support delegated auth, which puts you right back at writing your own application to handle the delegated auth flow.