Skip to content

authentication.md

Latest commit

 

History

History
58 lines (43 loc) · 2.53 KB

authentication.md

File metadata and controls

58 lines (43 loc) · 2.53 KB
Author Matěj Samler

Authentication diagram of File Explorer

%%{init: {'theme': 'dark'}}%%
sequenceDiagram
    participant U as User
    participant FE as File Explorer PCF
    participant AAD as AAD (Azure Active Directory)
    participant AZ as Azure (TALXIS STS)
    participant MG as Microsoft Graph Api
    participant SP as SharePoint

    U ->> FE: Interaction in app

    FE ->> AAD: Silent SSO or Pop-Up
    activate AAD
    AAD -->> FE: Return token
    deactivate AAD

    FE ->> FE: Use returned token

    FE ->> AZ: Call using<br>On-Behalf-Of Flow
    activate AZ
    AZ ->> AZ: 
    Note over AZ: TALXIS Security Tokens Service
    AZ -->> FE: Return token
    deactivate AZ

    FE ->> FE: Use returned token

    FE ->> MG: Authenticated request
    activate MG
    MG ->> SP: File read/File write
    activate SP
    SP -->> MG: Result
    deactivate SP
    MG -->> FE: Result
    deactivate MG

    FE ->> U: Response
Loading

File Explorer PCF (PowerApps Component Framework) control enables secure file interactions with SharePoint via Microsoft Graph API. For more information about neccessary app consents, please refer to this page.

Security tokens service

After a successful authentication with the consented Azure app, the token is exchanged with securitytokens.services.talxis.com, a custom atuhentication service, which exchanges the App token for a MS Graph token with desired scopes. This is done using On-Behalf-Of-Flow pattern

The Security Tokens Service (STS) is a custom service that acts as an intermediary between the File Explorer control and Microsoft Graph API. It takes the token received from Azure Active Directory (AAD) after user authentication and exchanges it for a token that has the necessary permissions to access SharePoint resources. The service itself does not store any user data or credentials; it simply facilitates the token exchange process. The biggest benefit of this approach is that we don't require the user to log in again, minimizing the need for multiple pop-ups and improving the user experience.

That token is then used to access SharePoint resources via Microsoft Graph API, allowing the control to perform file operations such as upload, download, and delete.

For more information, please refer to the internal documentation