I have an application which is using data from SharePoint 2013, but client secret is expired. How can I renew it?
Related
I am trying to get client certificate claims authentication working with SharePoint 2019 (on premise) for users who don't have Active Directory accounts.
Internal users already authenticate to SharePoint with forms authentication mapping to an AD user and their claims flow through to SharePoint. But now there will be a lot of external users who will have client certificates (X.509), but no AD account to map to.
I have gotten the IIS setup configured so SharePoint is asking for a client certificate and tries to authenticate with the one selected, but that's where I've hit a wall.
I am thinking the solution will involve some custom .NET code that validates the client certificate by checking some of the certificate values and that the topmost root certificate in the chain matches what is expected with a thumbprint or an issuer.
Once the client certificate has been validated, I can map to a generic AD user (think HR department or Accounting department), then somehow push some claims and authentication stuff to SharePoint.
I am using a SharePoint claims viewer web part to see the current user's claims once authenticated to know where the claim came from and what value it has, so I should be able to compare a forms auth login to a client certificate login when this is done.
My questions are:
Is this solution concept the correct approach? If not, what's a better way to think about this?
How do I build the custom authentication code (is that a membership provider, a custom STS, a custom claims provider)? Are there SharePoint 2019 templates out there for interfaces and events SharePoint expects to invoke?
How do I deploy the custom authentication code into SharePoint?
There is IIS Client Certificate Mapping Authentication: https://learn.microsoft.com/en-us/iis/configuration/system.webserver/security/authentication/iisclientcertificatemappingauthentication/
I have not used it with SharePoint but it allow IIS to authenticate Client Certificate presenting users to be authenticated like with, any other authentication (like e.g. AD integrated Client Certificates). Instead of AD the Mapping is don in the web.config file.
My requirement is described below.
User uploads the document through web-app and document saves in to shared location.
Application service (cron job or server code) , selects the documents and extracts the details.
Cron job send the details to SharePoint rest api which is protected by azure AD. (Oauth protocol)
I have a valid AZURE client ID and Secret ID which has application level access permission. I got access token by using AZURE client ID and Secret ID from AZURE AD with help of simple JAVA code but am getting following error when i call sharepoint online REST service using Oauth access token.
Error : {"error_description":"Exception of type 'Microsoft.IdentityModel.Tokens.AudienceUriValidationFailedException' was thrown."}
What does it mean? Can anyone help me resolve the issue ?
As SharePoint Online has strict safety standards, authentication for working with REST API consists of three steps:
1.Get the security token from Microsoft authentication portal.
2.Get the cookies from the SharePoint Online server.
3.Get the signature for requests to the SharePoint Online server.
More information is here:
http://www.wave-access.com/public_en/blog/2015/june/23/java-service-integration-with-sharepoint-online-via-rest-api.aspx
Access Office 365 from JAVA, we can use Office 365 SDKs for Java.
https://github.com/OfficeDev/Office-365-SDK-for-Java
I have created WebApi and hosted it to Azure server, now I want to get data from Microsoft Dynamics CRM into this API with logged in Office 365 users credentials.
So when I call the WebApi from office 365 it takes Office 365 logged in user's credentials and get data from CRM of same user.
For getting Dynamics 365 data you need the access token which as you mentioned is granted by office 365 OAuth server. Assuming that you already registered your app in Azure active directory and gained your client Id and secret key, you need also give permission to your app to access Dynamics 365 (using Required permissions in Setting panel of app registration).
After setting up your app in Azure AD, then you can redirect your user to office 365 login page (OAuth 2.0 Authorization Endpoint) for getting the access token. there are different methods to do it. In my experience I used getting token using Authentication code, but generally you need to compose a url to login page with following param:
'https://login.windows.net/' + tenant + '/oauth2/authorize?response_type=code&client_id=<client_id>&redirect_uri=<redirect_uri>&state=<state>&resource=<resource>'
In case of Authentication code it returns a code which you can use to acquire token. Microsoft developed some drivers which does it for you. If you use node.js you can check out adal, for sure they have something similar for dot.net.
After getting your access token, you just need to call your Dynamics 365 (resource) to get the data.
I want to create an application to get contacts from my Office 365 with v2 app model preview (https://msdn.microsoft.com/en-us/office/office365/api/use-outlook-rest-api#v2appmodelpreview).
But I have a problem with access to http://outlook.office.com/api/v2.0/me/contacts. After authorization I have the access token and the refresh token. Then I can get contacts information.
But after an hour my access token is invalid. Using refresh token I get a new access token. But when I try to access my contacts I received error "access token is invalid".
I try to do the same with Azure AD - everything is good. Can anybody help me?
I have OAuth token generated from Azure ADFS.
I am using this to connect to office 365 to get users calendar events, which is all working fine.
Now i want to generate a link in my application, which when clicked by users should redirect to their office 365 calendar directly without prompting for any credentials.
Can this be done?
Appreciate your help.
No, because the OAuth token represents a set of access rights granted by a user to your client at some point in the recent history and this does not mean that the user is still logged in.