 Hi, I'm Jason Johnston, senior content developer with the Outlook Ecosystems team. Today I'm going to show you how to authenticate your Node.js web app to call the calendar API, to access your calendar in Office 365. So let's get started. To start with, I've got this very basic Node.js website that uses the Express framework. It doesn't really do a whole lot yet, but we're going to change that in this session. The code that I'm starting with is available on GitHub. The link will be available in the comments below. We have a clean slate branch on this repo that will correspond to what I'm starting with here today. So let's switch over to the code and get started. In order to implement OAuth, we're going to use an open source library called Simple OAuth2. So the first thing that we need to do is install that using NPM. Now that we have that installed, we can go ahead and make use of it. So we're going to add a file to our project here to hold all of our authentication methods called authhelper.js. So what I've done here is implemented all the functions that we need for authentication through the magic of code snippets. We'll go over each one as we get to them. The first thing that you might notice is that we have these values here at the top that are currently empty. We need to get values for those. And the way that we do that is we register our application in the Microsoft app portal. This is the application registration portal. I've already signed in using my Office 365 user account. And I can go ahead and create an app registration here. So I click the add app and I'll give it a name. Once this is done, we will have an application ID which we'll use for the client ID value in our code. So I'll just copy the application ID here and put it in for my client ID. The next thing that we need to do is get a client secret. We can do this here by generating a new password. Now, pay close attention to this dialogue. This is the only time that you'll be able to see this password. So you do need to copy it now. If you come back, you can only see the first three characters. So be sure to copy it when you generate it. The last thing is our redirect URI. This is where the Azure authentication process will redirect back into our web app after authentication is completed. So we're going to go ahead and set this to the authorized route in our app. Now, we do need to also specify that in our application registration. The authentication process will only redirect to URLs that we have preconfigured in our registration. So to do that, we will come to the platform section in the registration and click add platform. We're a web app, so we're going to click web. And here we can enter our redirect URI. We'll go ahead and click save to finalize that registration. We'll switch back to the code while that's saving. The next thing you might notice is the scopes array. This is where we specify what permissions our application needs in order to function. I've only included three here. OpenID will allow the authentication process to tell us a little bit of information about the user, such as their display name and their email address. We will use that later, so we'll include that here. Offline access is important if you want to be able to have continuous access to the user's data after that initial logon process. That's accomplished by getting a refresh token as part of the authentication process, which you can then silently acquire new access tokens as they expire. And finally, we have this calendars.read scope, which will allow us to read the user's calendar. And we'll see that in action. Now the first export that we have in this auth helper module is the git auth URL. All this does is use the simple auth to library to generate the sign on URL back to our Azure authentication endpoint. This is the first function that we're going to make use of. So we'll switch back over to our app.js and find our home page. Currently, we are just setting a hash URL for the logon button. So we'll replace that by using that git auth URL function. First, we do need to require our new module. Okay, so now our button should have a valid link when we rerun the app. But before we do that, let's go ahead and implement some of the rest of it. We set our redirect URI to go to an authorized route in our app, which we currently don't have implemented. So let's go ahead and add that. So if we take a quick look at this, we check the query parameters of the incoming request for a code parameter. This is how the Azure auth process gives us back the authorization code that we need to exchange for a token. So we take that code and we are passing it to the git token from code function also in our auth helper. We'll take a quick look at that one. All this is doing here is using the simple auth to library again to get the token. It passes in the authorization code and again our redirect URI, which matches what we used in the auth request. And we include all of our scopes. This is going to call back into a callback function, which we specified in app.js, token received. Again, we haven't implemented that yet, so let's go ahead and do that so we can get this up and running. In the token callback, we are going to just get the access token and refresh token from the result that was returned to us and save it in our session. And finally, we will redirect to a login complete page. Let's go ahead and add that and then we should be able to actually see this in action. So in the login complete, we read the access token and refresh token back out of the session and we simply dump it to the screen. That should be enough for us to see this working and verify that everything is working. So let's go ahead and run the app and see it in action. Okay, now if we rerun the app, we will see that clicking the sign in button actually takes us to the login page. I'm going to log in with my Office 365 user and once the authentication process is complete and we're redirected back into the app, I can see that I have my access token. So great, everything is working. So now that we're logged in, we can do some things, some interesting things with the data. The first thing that we want to do is actually get some information about the user themselves. And the way that we're going to do that is by using the ID token. We already have a function in authelper.js that can extract the user's email address from the ID token. The ID token is returned to us along with the access token and refresh token as part of the authentication process. So let's add a function in our token received to call this getEmail function and save it in our session. And then in login complete, we'll get that email address back out of the session. And instead of just dumping into the screen, we'll pass that email address to our login completed page template. Now if we restart the app, sign in again, this time we actually get something a little nicer. So you can see that we have the user's email address that we got from the ID token and we have a few buttons here. Sync calendar, refresh tokens and log out. So the sync calendar will cover in the next session, but refreshing tokens and logging out is still part of the authentication process. So let's go ahead and take a look at those. So refreshing tokens is something that your app will need to do every once in a while. When you get an access token, it's good for an hour. After that hour's up, you've got to get a new one. Using a refresh token is the way to do that without any user interaction. So let's implement the refresh tokens. I'm going to start by adding a refresh token route to our app. So as you can see, we get the refresh token out of the session. And then we pass that to get token from refresh token and our auth helper. We also reuse our token received callback here because it does exactly what we needed to do. Let's take a look at the get token from refresh token function in auth helper very quickly. Again, simple OAuth 2 makes this super easy for us. We just need to create a token object from the refresh token and then call refresh on it. It's important to note that when you use the refresh token to get a new access token, you also get a new refresh token. So it's a best practice to always update your refresh token with the new one. Refresh tokens are pretty long lived, but they can expire, so it's always best to get the freshest one possible. Okay, so before we rerun the app and see refresh token at work, let's go ahead and implement logout. Logout for us will be very easy. Since we're storing the tokens in our session, all we'll do is destroy the session and go back to the home page. Easy enough. So now let's restart the app one last time and see it all at work. Okay, and if we sign in, now we can refresh the token. Now it didn't really do anything that we could see, but if we take a look at our console output, we can verify that we got a new token. And then finally, if we logout, we're right back to where we started. And that's it. That's all we need to do to implement the authentication piece, which is really the hard part of connecting your node app to Office 365. In the next session, we'll go ahead and take a look at implementing CalendarSync. If you want to compare your source with what we did in this session, if you go back to the GitHub repo and look at the session one branch, that should match what we've done in this session. And that's it. We've implemented authentication and connected our app to Office 365. We've gotten past the hard part, so in the next session, we'll go ahead and take a look at implementing basic CalendarSync. That's pretty much all that I wanted to show you in this session. If you'd like to learn more, be sure to check out dev.outlook.com or dev.office.com for more getting started materials and information on node and other platforms. Thanks for watching.