Here’s an understanding of the OneDrive authentication and data exchange flow using Authentication Flow (OAuth 2.0) as implemented by Savant Labs, along with the security measures in place:

When a user clicks “Authenticate” in Savant, the application launches an OAuth 2.0 process. Savant constructs an authorization URL with the following parameters

Sample URL

https://login.microsoftonline.com/common/oauth2/v2.0/authorize?client_id=abcdefg-8e81-4eac-6b1a-c90237890e4&scope=openid+offline_access+https%3A%2F%2Fgraph.microsoft.com%2FFiles.ReadWrite.All+https%3A%2F%2Fgraph.microsoft.com%2FUser.Read+https%3A%2F%2Fgraph.microsoft.com%2FSites.ReadWrite.All&redirect_uri=https://app.savantlabs.io/api/callback&prompt=login&state=oewonawntg&response_type=code

User Login and Consent:

The user is redirected over HTTPS to Microsoft’s secure OAuth endpoint. Here, the user enters their OneDrive (Microsoft) credentials.

Sample URL- https://login.microsoftonline.com/common/SAS/ProcessAuth

For the code flow after a successful login and consent, an authorization code is returned. Savant then makes a secure POST to Microsoft’s token endpoint to exchange that code for an access token and a refresh token, if offline_access is requested. The application can exchange the authorization code for an access token and a refresh token by making a secure POST request to Microsoft’s token endpoint. This flow is particularly useful for long-lived sessions since the refresh token can be used to obtain new access tokens when they expire.

Token Flow:

For simpler, interactive scenarios, the token is returned directly in the server, which the Savant application extracts and uses.For the token flow the access token is also returned directly in the server.

https://app.savantlabs.io/en/app/connection/add?restoreState=oewonawntg&externalName=Akshay+Pandey&connectionId=ilnifleerpq&externalId=apandey%40savantlabs.io&expiresAt=1758603878844#

Secure Token usage and API Calls

The access token is then stored in memory or a secure token store and is used as a Bearer token in the Authorization header of subsequent API calls to OneDrive. These calls are made over HTTPS to ensure data in transit is encrypted.

TLS Encryption:

All communication between Savant, Microsoft’s OAuth endpoints, and OneDrive API endpoints is conducted over HTTPS, ensuring data confidentiality and integrity.

Token Management

Secure Storage:

Client secrets, access tokens, and refresh tokens are stored securely on the backend using best practices (e.g., encryption at rest, access controls) to prevent unauthorized access.

Permissions & Scopes:

The OAuth flow ensures that only the scopes granted by the user (or the system administrator in case of delegated access) are attached to the access token. Savant validates these claims before performing any data operations to ensure that the requested actions (read/write) are authorized.

Compliance:

The overall design follows industry-standard OAuth 2.0 protocols and Savant tech team ensures that all the updates from Microsoft’s Graph APIs are updated within Savant architecture

Listing Files and Folders:

Savant uses the Microsoft Graph SDK to interact with OneDrive’s REST API endpoints. This returns metadata for files and folders, including their unique IDs and download URLs. Only Excel Files are opened using Excel 365 on MS side.

Downloading File Content:

Once the file metadata is retrieved, its content can be read by either using the provided download URL or via SDK methods.

Uploading Files:

For uploading files, we do a straightforward PUT/POST request which is sent using the SDK. This creates or replaces the file at the specified pathan upload session is initiated.The SDK then supports chunked uploading, where file bytes are sent in parts to the provided session URL until the complete file is uploaded.

For Excel files Savant uses Excel 365 APIs to write the in the files

Encryption in Transit:

All API calls including authentication and file transfer operation are executed over HTTPS, ensuring encryption of data in transit.

Scoped Permissions:

The access token includes claims that limit actions to the scopes granted during authentication (e.g. onedrive.readwrite). Savant validates these scopes before performing operations.

SDK Advantages:

Using the Microsoft Graph SDK ensures much of the low level HTTP handling, automatically managing token injection, error handling, and refresh logic, which aligns with modern security standards.