https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=38338 --- Comment #44 from Olivier Hubert <olivier.hubert@inlibro.com> --- Yes, exactly. I think that once administrative consent has been granted, we can use client credentials to get a token, and bypass the whole /authorize endpoint. We would still have to store the token and refresh it periodically, but it would still be easier than having to deal with the whole back-and-forth. In my tests, I've been able to get the token (and refresh token) using a POST to "https://login.microsoftonline.com/$tenant_id/oauth2/v2.0/token", with a payload of something like this: { grant_type => "client_credentials", client_id => $client_id, client_secret => $client_secret, scope => "https://outlook.office365.com/.default", } So we would need to ask for the tenant ID, client ID and client secret, but there would be no need for an authorization step. -- You are receiving this mail because: You are the assignee for the bug. You are watching all bug changes.