fabric-app-lakehouse-livelisted

# Fabric App · Lakehouse Live Bridge The browser acquires a **delegated Fabric token** (the signed-in user's own identity) and POSTs straight to a Lakehouse "API for GraphQL" endpoint. Live data, per-user permissions and RLS, zero infrastructure, no secrets in the bundle. ``` browser → MSAL (Entra SSO, delegated) → POST → GraphQL API over the Lakehouse ``` A working reference implementation exists in the `fabric-apps-starter` repo, `template-lakehouse-live/` (Vite + React + MSAL, query console + token inspector). ## The recipe — order matters, each step gates the next **1. Validate CORS before writing code.** Preflight the GraphQL endpoint with the app origin: ```bash curl -X OPTIONS <graphql-endpoint> -H "Origin: https://<your-app-url>" \ -H "Access-Control-Request-Method: POST" -i # want: 200 + Access-Control-Allow-Origin echoing your origin ``` Fabric allows Fabric Apps origins by default. If this fails, nothing downstream can work. **2. MSAL singleton, initialized BEFORE render.** When the browser returns from `login.microsoftonline.com`, the SPA boots again and MSAL must parse the auth response on that load: ```ts // lib/msal.ts export const msal = new PublicClientApplication({ auth: { clientId, authority: `https://login.microsoftonline.com/${tenantId}`, redirectUri: window.location.origin }, cache: { cacheLocation: "sessionStorage" }, }); export async function bootstrapMsal() { await msal.initialize(); await msal.handleRedirectPromise(); /