SharePoint API: Invalid Access Token Resource - sharepoint

I am trying to obtain an access token for use with the SharePoint Rest API. For my organizations base site. I am able to obtain a token and use that token to make subsequent requests successfully.
Next, I followed the same process and created more app permissions for a different site: {{tenant removed}}/sites/testsite. I was initially unable to create the request for the token because the resource parameter was not valid (see image below):
Per the URI encoding standards, I replaced the "/" in the site url with "%2f" and I am able to get a token (see image below):
Next however, the requests using that token to the API fail:
{
"error_description":
"Exception of type 'Microsoft.IdentityModel.Tokens.AudienceUriValidationFailedException' was thrown."
}
In the response header:
3000003;reason="Invalid audience Uri
'00000003-0000-0ff1-ce00-000000000000/{{tenant
removed}}%2fsites%2f{{removed}}#{{realm
removed}}'.";category="invalid_client"
Did I encode the resource incorrectly? What am I missing? How can I use this method to get information from the other site?

I can see many developers making the same assumption when they create requests, since almost all documentation don't point out this scenario. You will be able to obtain a token for the site successfully as long as the resource is in a valid uri format, there is no validation done on the uri itself. Even if you get a token it will not work for any requests.
When fetching the access token for subsites (i.e: {{tenant}}/sites/testsite ). The resource part of the request body does not need to be modified.
So, for example, when you are getting a token for test.sharepoint.com/sites/testsite the resource of the request body should just be:
00000003-0000-0ff1-ce00-000000000000/test.sharepoint.com#{{realm}} (without /sites/testsite)
However, when you make HTTP requests to the API with the token, you should use the full site name. Example:
https://test.sharepoint.com/sites/testsite/_api/web/

Related

HTTP POST to Microsoft DevOps API Returns 404

I have carefully followed the documentation outlined here by Microsoft to create a Bug in Dev Ops via the API. The documentation is well written.
Steps followed:
In Dev Ops I created a Personal Access Token, the string value of which I converted to Base64.
In a separate Power Automate flow, I composed a list of the projects in my target DevOps Organization for testing purposes. The JSON for the projects in this Organization is as follows:
Now if I copy and paste this URL (in the picture above) into my browser it resolves correctly.
I created a Postman HTTP POST Request with the following details:
URL: https://dev.azure.com/{my org}/{Demo guid}/_apis/wit/workitems/{{taskType}}?api-version=7.0
Under Authorization I set the Bearer Token and pasted in my encoded PAT
The JSON Body is as follows:
The POSTMAN variable in the URL taskType is set to Bug
The request Headers are as follows:
Once again please note that if I paste the URL (1) in green into a browser it resolves correctly. However, the request returns a 404 Page not found.
I cannot understand why it is not finding the page, as I would expect a not authorized error if the problem was with the token.
Looks like you have {{taskType}} as a literal in your URL string.
Just try to perform a List to find all the valid taskTypes. Also drop the Bearer token and just use Basic Auth to keep it simple. The username should be empty and password should contain your AzDO PAT.
Needed to include the $ symbol. I am now getting authentication issues but this is outside the scope of the original submission.

SharePoint Online multi-tenant REST calls return 404 on resources that definitely exist

I am attempting to access the SharePoint Online REST API (this is hand coded REST calls, no library being used).
Access tokens are acquired using authorization grant flow as follows:
I send the browser https://login.microsoftonline.com/common/oauth2/authorize?...
This redirects to a handler endpoint that we extract the access code from
I obtain the tenant ID by:
GET https://{tenantname}.sharepoint.com/_vti_bin/client.svc
Then extracting the tenant ID from the WWW-Authenticate header
I then POST https://login.microsoftonline.com/{tenantid}/oauth2/authorize to obtain the access token
When I use that access token, I am able to do queries using:
GET https://{tenantname}.sharepoint.com/_api/search/query?querytext=....
This works and returns documents.
But when I attempt to retrieve information about one of those documents:
GET https://{tenantname}.sharepoint.com/_api/web/getfilebyserverrelativeurl('/TestFiles/test.pdf')
I get a 404 response with the following body:
{"odata.error":{"code":"-2130575338, Microsoft.SharePoint.SPException","message":{"lang":"en-US","value":"The file /TestFiles/test.pdf does not exist."}}}
If I navigate to the URL in a browser (https://{tenantname}.sharepoint.com/TestFiles/test.pdf), it accesses the file without issue.
This makes me think that I'm running into some sort of permission issue.
I have tried setting the following scopes in the authorize redirect:
Attempt 1: scope = Web.Write AllSites.Write Site.Write
Attempt 2: scope = https://{tenantname}.sharepoint.com/.default
Attempt 3: scope = https://{tenantname}.sharepoint.com/Web.Write https://{tenantname}.sharepoint.com/AllSites.Write https://{tenantname}.sharepoint.com/Site.Write
No matter what I set as the scope parameter of the authorize URL, the JWT details of the access token show (I can post the entire decoded JWT if anyone needs it):
"scp": "User.Read"
Nothing I do has any impact on the scp in the token - I have no idea if that's the issue or not. If it is, I would appreciate hearing how to properly request scope.
The application registration in Azure Active Directory has desired permissions (plus more):
What am I doing wrong?
UPDATE: Switching to OAuth endpoint v2.0:
https://login.microsoftonline.com/common/oauth2/v2.0/authorize
With query parameters:
response_type = code
client_id = my app id
redirect_uri = my redirect uri
scope = <varying - I'll explain what happens under different scenarios below>
Here's what I've tried for scopes:
AllSites.Write Site.Write - the redirect has invalid_client with error_description = AADSTS650053: The application '' asked for scope 'AllSites.Write' that doesn't exist on the resource '00000003-0000-0000-c000-000000000000'. Contact the app vendor.
https://{tenantname}.sharepoint.com/AllSites.Write https://.sharepoint.com/Site.Write - the redirect has invalid_client with error description = AADSTS650053: The application '' asked for scope 'Site.Write' that doesn't exist on the resource '00000003-0000-0ff1-ce00-000000000000'. Contact the app vendor.
https://{tenantname}.sharepoint.com/.default - this goes through
But the resulting JWT has only scp=User.Read
The following works: GET https://{tenantname}.sharepoint.com/_api/search/query?querytext=
But the following returns a 404: GET https://{tenantname}.sharepoint.com/_api/web/getfilebyserverrelativeurl('/TestFiles/test.pdf')
I don't understand how Scope=.Default isn't including the allowed permissions from the application registration. And I definitely don't understand why the AllSites.Write scope is failing when it's explicitly specified.
If it helps, I have also tried all of the above using a tenant specific authorize endpoint instead of 'common':
https://login.microsoftonline.com/{tenantid}/oauth2/v2.0/authorize
UPDATE2: More scope changes:
I finally found a magical combination that works:
Use a tenant based URI for the /authorize and /token endpoint and use {tenanturl}\AllSites.Write for the scope (do NOT specify the Site.Write scope):
https://login.microsoftonline.com/{tenantid}/oauth2/v2.0/authorize?response_type=code&client_id={clientid}&redirect_uri={redirecturi}&scope=https%3A%2F%2F{tenantname}.sharepoint.com%2FAllSites.Write
The resulting JWT has the following:
"scp": "AllSites.Write User.Read"
I am completely perplexed about why Site.Write wasn't allowed. I suppose that AllSites.Write is a superset of Site.Write, so maybe not needed?
All of my testing so far has been on my own tenant, next step is to test on a different tenant and make sure it actually works there as well.
It seems you use v1.0 endpoint https://login.microsoftonline.com/common/oauth2/authorize but not v2.0 endpoint https://login.microsoftonline.com/common/oauth2/v2.0/authorize. If we use v1.0 endpoint, we should use resource instead of scope. So that is why the scp claim in your access token always the same no matter you modify the scope.
You should use resource with https://{tenant-name}.sharepoint.com and the parameter scope is useless when you use v1.0 endpoint.
If you still want to use scope parameter, you can also change the endpoint to v2.0. Just add v2.0 into your endpoint, like: https://login.microsoftonline.com/common/oauth2/v2.0/authorize
I finally found a magical combination that works:
use the https://login.microsoftonline.com/{tenantid}/oauth2/v2.0/authorize and https://login.microsoftonline.com/{tenantid}/oauth2/v2.0/token endpoints
specify {tenanturl}\AllSites.Write for the scope (do NOT specify the Site.Write scope - that was the primary problem):
https://login.microsoftonline.com/{tenantid}/oauth2/v2.0/authorize?response_type=code&client_id={clientid}&redirect_uri={redirecturi}&scope=https%3A%2F%2F{tenantname}.sharepoint.com%2FAllSites.Write
The resulting JWT has the following: "scp": "AllSites.Write User.Read"
This works across tenants and gets us the access we need.
For thoroughness, we also specify offline_access scope so we get a refresh_token in addition to the access_token.

How read async URL returned (in location header) by a Logic App authenticated through Oauth?

I've created a Logic App, which is configured to authenticate using AD Outh according to this:
https://learn.microsoft.com/en-us/azure/logic-apps/logic-apps-securing-a-logic-app
This Logic App it takes a lot of time to execute and to avoid timeout the response was configured with Asynchronous Pattern as mention in:
https://learn.microsoft.com/en-us/azure/azure-resource-manager/management/async-operations
The authentication with Bearer Token works and the Logic App responses with a URL (in Location header) in which finally will be stored the response.
The problem is that I cant't access to this URL because I'm receiving the next error:
{
"error": {
"code": "DirectApiAuthorizationRequired",
"message": "The request must be authenticated only by Shared Access scheme."
}
}
The problem is that the URL returned in the Location header only contains SAS keys when I run the Logic App using SAS and I need use only OAuth for securiry reasons.
Now, if try to access to this URL using Bearer token the response is:
{
"error": {
"code": "InvalidUseOfOAuthToken",
"message": "The requested operation is not supported, Use of open authentication token is only supported for workflow trigger request."
}
}
Here an example of the URL:
https://prod-05.southcentralus.logic.azure.com/workflows/a98d6ba3becd449db74ac0527a64ec57/runs/08585941366423271731798768425CU04/operations/c4d9cb98-03b3-4c44-87c3-5752c2ed403c?api-version=2016-10-01
So, understanding that is not posible access to this URL using OAuth, How can I force the header location to include the SAS parameters by consuming the logic app using OAuth?
Finally, solution proposed was to use the functionality "Create expiring callback URLs" for Async Logic Apps,
https://learn.microsoft.com/en-us/azure/logic-apps/logic-apps-securing-a-logic-app#create-expiring-callback-urls
This consists of creating a temporary URL for each execution, these URL’s contain SAS parameter which will in cretain date . These URLs are created from a call to the ARM Rest API using a Bearer Token and specifying the date on which it will stop working. With this way there is no problem using SAS because are temporary.
https://learn.microsoft.com/en-us/rest/api/logic/workflowversions/listcallbackurl

Sharepoint REST api - Realm is not a configured realm of the current service namespace error 50169

I got this error trying to get an auth token from Sharepoint REST api. My SP is cloud based and I am using Postman to test the requests, as a previous attempt similarly ran into a dead end when much troubleshooting back and forth with Msoft lead no where .. Anyway, I have the following error and I was wondering if anyone could help me figure out what it is or how I can troubleshoot this issue.
error_description: "AADSTS50169: The realm 'realm' is not a configured realm of the current service namespace"
error_codes : 50169
I followed this tutorial
Thanks!
Edit: I went through and started again, this tut seems to be working I guess I may have missed a step (my guess is I didn't correctly configure the app permissions with xml when creating the app)
To do authorization of SharePoint online and use REST API via Postman, here is a solution for your reference:
First: get security Token
Access [https://login.microsoftonline.com/extSTS.srf] via Http Post method. The content of the http request is as follows.
<s:Envelope xmlns:s="http://www.w3.org/2003/05/soap-envelope"
xmlns:a="http://www.w3.org/2005/08/addressing"
xmlns:u="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-
utility-1.0.xsd">
<s:Header>
<a:Action
s:mustUnderstand="1">http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue</a:Action>
<a:ReplyTo>
<a:Address>http://www.w3.org/2005/08/addressing/anonymous</a:Address>
</a:ReplyTo>
<a:To s:mustUnderstand="1">https://login.microsoftonline.com/extSTS.srf</a:To>
<o:Security s:mustUnderstand="1"
xmlns:o="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
<o:UsernameToken>
<o:Username>[username]</o:Username>
<o:Password>[password]</o:Password>
</o:UsernameToken>
</o:Security>
</s:Header>
<s:Body>
<t:RequestSecurityToken xmlns:t="http://schemas.xmlsoap.org/ws/2005/02/trust">
<wsp:AppliesTo xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy">
<a:EndpointReference>
<a:Address>[endpoint]</a:Address>
</a:EndpointReference>
</wsp:AppliesTo>
<t:KeyType>http://schemas.xmlsoap.org/ws/2005/05/identity/NoProofKey</t:KeyType>
<t:RequestType>http://schemas.xmlsoap.org/ws/2005/02/trust/Issue</t:RequestType>
<t:TokenType>urn:oasis:names:tc:SAML:1.0:assertion</t:TokenType>
</t:RequestSecurityToken>
</s:Body>
</s:Envelope>
The demonstration screenshot in Postman:
And the response content will include a security token as below, we can use this security token to get Access Token of SharePoint.
Second: get Access Token
Here i show you how to get access token of SharePoint online using the security token and SharePoint Rest API.
Access [https://yourdomain.sharepoint.com/_forms/default.aspx?wa=wsignin1.0] via http Post method. The content of the request is the security token that we have got above as below.
And the response as below:
We can see that there are two cookie, rtFa and FedAuth in response header, and these two cookie need to be added to the request in subsequent request.
Third: get Request Digest
Access [https://yourdomain.sharepoint.com/_api/contextinfo] via http Post method with that two cookies which we have got above.
And the response as below:
This is the final Token we want!
Then we can use REST API of SharePoint, we only need to add this token and the previous two cookie, as shown in the following figure.

Including "prompt=consent" on Office 365 OAuth authorization request for resource "https://graph.microsoft.com/" generates an error

I'm moving our existing Office365 API usage over to the Unified API (at https://graph.microsoft.com/v1.0).
For reasons explained in Adding an additional Windows Azure AD delegated permission to an existing grant, I need to include prompt=consent in my authorization request Url, and so up until now my authorization Url has looked like:
https://login.microsoftonline.com/common/oauth2/authorize?resource=https%3a%2f%2fgraph.windows.net%2f&prompt=consent&client_id=ec49c780-6767-46f2-8697-bdd816e42504&redirect_uri=https%3a%2f%2flogin.airhead.io%2fservices%2freply%2foffice365%2foauth&scope=UserProfile.Read+Calendars.Read+Files.Read+Sites.Read.All+Mail.Read&response_type=code
..which (after auth and consent) returns me to something like:
https://login.airhead.io/services/reply/office365/oauth?code=AAABAAAAiL9Kn2Z27UubvWFPbm0gLeSvP6UG3gEwceCQ8hU_03hUjXRvPUfs_Y-324csuR0rDFE-qdNIsD0on-DjKGoSzvVL4PKh7_uQkghxtOGCZGEJ7GwcUDpvoHH86pjct3vAb94wPt8Pkdm46HhvPeBn6JDrK5VIBYdwxS2r8dLRmjqiyIBbGZDsOUCDymeFebYsFc-V39sQ9WFSx5ErjIeHvZ_Qf4zB1SDjT-iEqJPTW7H5bZpvFJQHhUqn3TvVL37Up4ZzkWxz5fb0zMk_7yKuz6G-DW6kz_Y1S30ZNgO45maDEw9KBqmdIR_NeewmFSKokgF4Unsfi__xNzjf6xO6VcMOidych7V7uQi_jxX7zP5hLvXgAoNmqBU-AnV2NVZ-5tq2s4w8vvl61TXUjR1MtwVf4TzcsL55uvyP16lid6JpWsdssZvWJNXna_zJC0Ok629vE5-4pzu-zF5C_PJztkx8VQ8QDmP4_JqkHkRmq2zO0doY25AF6Sh3odyNEx6IwWxe9jirPv_8NfwlmldYnpItzbmYlqLilOIEBNXpESgUmPz02A0Czu--pZP45JfjNDrVnUBBV9liPToK_QPe99xOSNHmk70h171M5BjVnhggAA&session_state=8494e152-60ab-4ddc-a247-ee55798e0595
..which allows me to continue with the flow, using the code auth'd against the old https://graph.windows.net/ resource. All good.
However, after modifying the resource param value on the authorization Url to https://graph.microsoft.com/ to authorize against the new Unified API, i.e.:
https://login.microsoftonline.com/common/oauth2/authorize?resource=https%3a%2f%2fgraph.microsoft.com%2f&prompt=consent&client_id=ec49c780-6767-46f2-8697-bdd816e42504&redirect_uri=https%3a%2f%2flogin.airhead.io%2fservices%2freply%2foffice365%2foauth&scope=UserProfile.Read+Calendars.Read+Files.Read+Sites.Read.All+Mail.Read&response_type=code
..I'm returned an error response:
https://login.airhead.io/services/reply/office365/oauth?error=access_denied&error_description=AADSTS65005%3a+The+client+application+has+requested+access+to+resource+%27https%3a%2f%2fgraph.microsoft.com%2f%27.+This+request+has+failed+because+the+client+has+not+specified+this+resource+in+its+requiredResourceAccess+list.%0D%0ATrace+ID%3a+d9cc9773-feb5-42b4-9414-eaf64620fc0f%0D%0ACorrelation+ID%3a+ea1f37de-35bb-4b41-af49-c877dda75d11%0D%0ATimestamp%3a+2016-01-18+13%3a15%3a18Z
..with description "AADSTS65005: The client application has requested access to resource 'https://graph.microsoft.com/'. This request has failed because the client has not specified this resource in its requiredResourceAccess list".
If I try the same authorization Url (against resource https://graph.microsoft.com/ again), but drop the prompt=consent param this time, i.e:
https://login.microsoftonline.com/common/oauth2/authorize?resource=https%3a%2f%2fgraph.microsoft.com%2f&client_id=ec49c780-6767-46f2-8697-bdd816e42504&redirect_uri=https%3a%2f%2flogin.airhead.io%2fservices%2freply%2foffice365%2foauth&scope=UserProfile.Read+Calendars.Read+Files.Read+Sites.Read.All+Mail.Read&response_type=code
..it works.
The documentation at https://msdn.microsoft.com/en-US/library/azure/dn645542.aspx still suggests that prompt=consent is valid, so is the documentation wrong (i.e. I can't use prompt=consent with resource https://graph.microsoft.com/) or is this a bug?
It turns out there's a whole new set of scopes for v1.0 of graph.microsoft.com, which weren't needed during the preview. Adding these scopes to my app manifest resolved the issue. (facepalm)

Resources