Building a post/get with authentication substituting /me/

@NormKelson-5136 In order to access Microsoft Graph you do not specifically need to call the authorize endpoint. You need to access the authorize endpoint (https://login.microsoftonline.com/{tenant}/oauth2/v2.0/authorize) if you are using Authorization code grant flow which captures the authorization code.
You need to passed authorization code as "Code" to get required access token. So, you need to pass the below values in your request body for retrieving an access token:

Your request URL: https://login.microsoftonline.com/YOUR_TENANT_ID/oauth2/v2.0/token
client_id : Your APP ID
client_secret: Your App Secret
redirect_uri: Redirect URI you have configured during the application registration. For native application it should be https://login.microsoftonline.com/common/oauth2/nativeclient
grant_type: authorization_code
scope: openid profile offline_access User.Read Mail.Read
code: Authorization code you have received

Here scope is a list of Microsoft Graph permissions that you want user to consent to and you can modify this. You can also use https://graph.microsoft.com/.default as scope for default scope.
Please refer to get more details.

If you are using a Client Credentials flow then your application gets the required access token directly from the token endpoint https://login.microsoftonline.com/{tenant}/oauth2/v2.0/token to call Microsoft Graph API endpoint.
Please refer to the documentation for details.

You can also use the tools like Microsoft Graph Explorer and Postman to try out few Graph requests. Please refer to Use Postman with the Microsoft Graph API to get started.

Thanks for your quick response. I made the changes as you suggested.

I'm doing fine with the authorization. The authorization code that I receive from the authorize is used for the "code" for the token request. Yet, the result for the token request is blank.

Here is the request (I will regenerate a new secret code):

https://login.microsoftonline.com/4e54a1c8-d98b-4f9b-8de9-bad93ae00fba/oauth2/v2.0/token
client_id=c2c71ba0-4682-424b-a847-dba1d0840790 &client_secret = KE~v_Vs~X8kNJqrB-w33XBOD9a.tMzhdpd &redirect_url=https://login.microsoftonline.com/common/oauth2/nativeclient &grant_type=authorization_code &scope=openid profile offline_access User.Read Mail.Read &code=51483342-085c-4d86-bf88-cf50c7252078

I'm initiating the post from a development software package which I generated. I submit the request from an internal call defined as http_post_page2 where i send the url as one variable and the entire body as the second variable. The authorize goes thru but not the token.

@NormKelson-5136 No, authorization code is not correct. You must not be getting the correct authorization code. In order to get the authorization code you need to pass the
You need to pass the below parameters for retrieving authorization code:

client_id=c2c71ba0-4682-424b-a847-dba1d0840790
response_type = code
redirect_uri = https://login.microsoftonline.com/common/oauth2/nativeclient
response_mode = query
scope = openid offline_access Mail.read
state = some dummy number e.g. 12345

Your authorization endpoint should look like the below -
https://login.microsoftonline.com/{tenant}/oauth2/v2.0/authorize?client_id=c2c71ba0-4682-424b-a847-dba1d0840790&response_type=code&redirect_uri=http%3A%2F%2Flogin.microsoftonline.com%2Fcommon%2Foauth2%2Fnativeclient&response_mode=query&scope=openid%20offline_access%20mail.read&state=12345

I suggest you to please look into this document to get authorization code using browser like below.

Then you can use the code like below to get access tokens. Here is an example using Postman to get the same -

Are you trying to implement authorization in your application and what is the language you are using to create your application ?
I will suggest you to use MSAL (Microsoft Authentication Library) in your code to acquire token and renewal. MSAL will take care of acquiring authorization code and token with ease. Here is document you can refer to for creating native windows application. You can also refer to the documentation to know about supported platforms and frameworks.

I built my application using Alpha Software’s AlhaAnywhere which is a development platform. Much of the coding is an xbasic. This limits me to either a get or post.

As you suggested, I Installed Postman and am including the request and response. I appear to be getting a valid response from authorize but in getting the 404 error when I use the token. I copied your suggested content to each get/post:

AUTHORIZE GET
https://login.microsoftonline.com/4e54a1c8-d98b-4f9b-8de9-bad93ae00fba/oauth2/v2.0/authorize?client_id=c2c71ba0-4682-424b-a847-dba1d0840790&response_type=code&redirect_url=https://login.microsoftonline.com/common/oauth2/nativeclient&response_mode=query&scope=openid offline_access Mail.read&state=1234

AUTHORIZE RESPONSE
KEY
VALUE
Cache-Control
no-cache, no-store
Pragma
no-cache
Content-Type
text/html; charset=utf-8
Content-Encoding
gzip
Expires
-1
Vary
Accept-Encoding
Strict-Transport-Security
max-age=31536000; includeSubDomains
X-Content-Type-Options
nosniff
X-Frame-Options
DENY
Link
<https://aadcdn.msauth.net>; rel=preconnect; crossorigin
Link
<https://aadcdn.msauth.net>; rel=dns-prefetch
Link
<https://aadcdn.msftauth.net>; rel=dns-prefetch
X-DNS-Prefetch-Control
on
x-ms-request-id
d45f8655-6925-41e7-a0e8-94e3b9a08801 -< returned successfully
x-ms-ests-server
2.1.10732.8 - CHI ProdSlices
P3P
CP="DSP CUR OTPi IND OTRi ONL FIN"
Set-Cookie
buid=AQABAAEAAAAGV_bv21oQQ4ROqh0_1-tAFew-sAZWekjvkAKJB3GlvmDtkTl_A_K7LZB9LtbscRvLg1mL4t9pEmmJUtRoA5FrjqJmglZH-SoLQcX2EH__IFpDD9zG8RbG-3rb7jlAv_QgAA; expires=Tue, 28-Jul-2020 16:32:22 GMT; path=/; secure; HttpOnly; SameSite=None
Set-Cookie
fpc=AuusdQTkD0VBgpYottXjklgupWyXAQAAAEi8itYOAAAA; expires=Tue, 28-Jul-2020 16:32:22 GMT; path=/; secure; HttpOnly; SameSite=None
Set-Cookie
x-ms-gateway-slice=prod; path=/; SameSite=None; secure; HttpOnly
Set-Cookie
stsservicecookie=ests; path=/; secure; HttpOnly; SameSite=None
Date
Sun, 28 Jun 2020 16:32:21 GMT
Content-Length
44825
Bootcamp
TOKEN REQUEST
https://login.microsoftonline.com/4e54a1c8-d98b-4f9b-8de9-bad93ae00fba/oauth2/v2.0/token HTTP/1.1 application/x-www-form-urlencoded ?client_id=c2c71ba0-4682-424b-a847-dba1d0840790&scope=openid profile offline_access User:Read Mail.Read
&redirect_url=https://login.microsoftonline.com/common/oauth2/nativeclient&grant_type=authorization_code&code=d45f8655-6925-41e7-a0e8-94e3b9a08801 -> USED CODE FROM ABOVE IMMEDIATELY

TOKEN RESPONSE
Status: 404 Not Found

HEADERS:
KEY
VALUE
Cache-Control
private
Strict-Transport-Security
max-age=31536000; includeSubDomains
X-Content-Type-Options
nosniff
x-ms-request-id
06c8da7a-d691-4718-9f4c-4f92c73fb901 DON’T MATCH
x-ms-ests-server
2.1.10732.8 - CHI ProdSlices
P3P
CP="DSP CUR OTPi IND OTRi ONL FIN"
Set-Cookie
x-ms-gateway-slice=prod; path=/; SameSite=None; secure; HttpOnly
Date
Sun, 28 Jun 2020 16:24:30 GMT
Content-Length
0
Bootcamp

Your thoughts on what I’m doing wrong.

@NormKelson-5136 As I mentioned earlier the code you are using is not an authorization code and that is why you are not able to fetch the access token.

You have to use browser to get the authorization code by accessing the authorization (/authorize) endpoint.

If you want to get the token programmatically using authorization code grant flow then your application needs to be capable of opening a web browser for you to sign-in. Once logged in successfully you will get the code in returned query string. Here is an Python example to extract the code from the returned result.

dr = webdriver.Chrome()
# load the user login page
dr.get(authorization_url)
# wait until the user login or kill the process
code_received = False
code = ''
while(not code_received):
cur_url = dr.current_url
if cur_url.startswith(user_parameters['redirect_uri']):
parsed = [urlparse](https://docs.python.org/2/library/urlparse.html)(cur_url)
query = [parse_qs](https://docs.python.org/3/library/urllib.parse.html)(parsed.query)
**code = query['code'][0]** -> This is the authorization code.
state = query['state'][0]
# throw exception if the state does not match
if state != str(auth_state):
raise ValueError('state does not match')
code_received = True
dr.close()

In your code you need to use similar approach to get the result and extract the code out of it and use that to get access token.