Help with Microsoft Graph API & Retool

Im struggling to get Microsoft Graph working as a REST api with Retool. I am trying to return a list of users on my Active Directory into Retool.

I got my app registered onto Azure AD and i was able to query Azure using a bearer token but this expires after 1 hour so i need to properly authenticate Graph with Retool.

Im trying to use Auth2.0. I run Retool on prem. I obviously need the connection to Azure to be secure but if there is an easier secure method vs Auth2.0 im all ears.

I don't really know if what im doing is correct. Example in the scope url i tried adding in the scopes 'Directory.Read.All User.Read.All' which is what i have selected under my API permissions in Azure. Not sure if that is correct. I also tried putting in the scope url https://graph.microsoft.com/.default. Both fail when i try to run them.


I have a working GraphQL Authorization through Azure - see my picture below:

Make sure you are using the full auth/token urls provided in Azure for your tenant - you can get them here:
image

Oh, and dont forget the 'magic token' so it send the Auth headers in subsequent requests.

Let me know if you need anything else!

I have everything nailed down except i dont know what you mean by 'magic token'.

Is this here, and how do i set this up?

hi @rcanpolat,

No, the 'Magic Token' is on the retool side of things. When you specify 'Authorization' header OAUTH2_TOKEN - this tells retool where to store the Access_token returned by the OAuth2.0 flow.

As long as you put it in the resource setup, it should be taken care of 'magically' when you send subsequent request to the graph api without having to specify the access_token explicitly.

Thanks!

Do you mean where the yellow is i need to replace the text 0AUTH2_TOKEN with an actual token from Azure (and if yes where do i get this because the method i was doing when i started off to get a token was expiring after 1 hour).

No what you have there is exactly how it should be done - that is telling retool that when it gets the access_token, to store it in 'OAUTH2_TOKEN' and when subsequent calls are made, it will ptu the actual access_token value in its spot as a header.

As for you token_expiration, thats on the azure side of things - you can either extend it, or use refresh token flow to grab a new one every so often.

I've generated a secret in Certs & secrets and im using the 'Value' from Azure as the Client Secret

When i try run something from my Query Library using the Graph API i get this error

Actually i think i got it by ticking the below 2 on the resources setup

image
image

May I ask where you see "Skip Retool consent screen & attempt login"? Is that a paid feature?

I'm not able to make Microsoft Graph queries without constantly reauthenticating and reconsenting. (I'm trying to test a proof-of-concept in Retool before committing to a subscription.)

If I remember I'll screenshot it on Monday. Not sure if it's a subscription only setting, I'm running paid on prem

This is what i see on my on prem Retool when i edit my REST API setup for Azure. Note the 2 blue check boxes you were referencing.

Thanks. Looks like the option is missing from the free plan.
If it saves you from constantly having to consent and grant access every hour, please let me know! This has been an annoyance for me for most services on Retool using OAuth 2.0 authentication.

Since getting it to work 5 days ago i haven't had to authenticate.

Hey @ThomasLu_EarthDaily!

Doing some digging in our backend, it looks like the refresh request for your resource is failing because there's a refresh token missing. You may need to specify offline_access in your "Scopes" field as mentioned here e.g.

offline_access https://graph.microsoft.com/.default

Can you try that and let us know if it works?

For some more context - the "Skip Retool consent screen & attempt login" option is only available for self-hosted orgs and it also looks like @rcanpolat is using the client credentials flow which doesn't require user interaction so Retool can automatically auth without needing a refresh token or any user interaction.

Hopefully that helps!