I have to integrate SharePoint with my web app(just want to show the content of the user account).
For that, I have researched and I am looking for the SharePoint integration with REST API through OAuth process, Right now I found a different way where users have to create their SharePoint app and they have to share username and password and then I can get the data with their credential for the users.
The above approach is not a good option.
Please help if someone knows how to get share point content through the OAuth approach with REST.
You are able to connect to Microsoft Graph which hosts an API for the Office365 entities such as Calendar, Mail, Sharepoint etc.
In order to authenticate, you need to follow the OAuth 2.0 flow. This involves the generation of access tokens, which are then used in case of username/password.
More information about the MS Graph API and setting up authentication as well as a number of SDKs can be found: https://learn.microsoft.com/en-us/graph/auth-register-app-v2?view=graph-rest-1.0
Related
I want to read mails of users of a specific domain (tenant) using Outlook API. However, I don't have privileges to register new app in Azure portal, for that domain, and so am not able to use Graph API. We cannot use Outlook API without an OAuth app. In this case, using IMAP/POP3 is my only choice? How secure is to use IMAP/POP3 to read mails when compared to Azure AD Graph API? Please advise.
It depends on what you really want to achieve.
If you just want to read the messages, configuring your mailbox in Outlook or other email provider with IMAP/POP3 is a preference. You don't need to worry about its security, it has been in service for decades.
For Microsoft Graph API, to call Microsoft Graph, your app must acquire an access token from the Microsoft identity platform. See Authentication and authorization basics for Microsoft Graph to learn more details about it.
So the point is how you want to read your email.
If you are developing your own app, using Microsoft Graph API is certainly the best choice. You can test GET https://graph.microsoft.com/v1.0/me/messages to list your emails in Microsoft Graph Explorer without registering an app in Azure AD.
I've created a SPFX feature that needs to call an external API. The external API is part of a system that has its own authentication methods outside of SharePoint. Ideally I would like to send details about the current logged in SharePoint user to this API, validate them to ensure that the user is actually logged in in SharePoint, compare the SharePoint user with the external system's user (they'll have the same email addresses) and, once matched, run the external API's code with that user.
Is there any way to go about doing something like this? If not, what is the best way to handle this sort of problem? Do other Microsoft tools like Azure need to be used for this?
The supported way to authenticate SharePoint framework components to a custom API is by using Azure Active Directory (AAD) and OAuth.
You need to AAD-protect your API. You can configure it so it supports two authentication mechanisms: AAD and your current authentication method. For example, if a JWT token is present, you use AAD+OAuth, and if not you use your other authentication method.
The SPFx to API authentication mechanism is described in details in the page Connect to Azure AD-secured APIs in SharePoint Framework solutions.
In summary, you will need the following elements:
Register an application in Azure AD, which represents your API.
Use a server library to protect your API with that AAD application.
Configure your SPFx package so it has permissions to query your API.
Grant the permissions to your SPFx package in the SharePoint central administration.
Use the AadHttpClient in your web part to access your API.
I wanted to implement o365 authentication in my current project. my intention is to standardize/centralize the login of employee and the administrative staff of the portal using Microsoft O365 authentication.
I managed to test out some of the sample projects online and it seems a bit confusing cause there are different ways of authenticating.
My ideal implementation is something as the drawing below.
On the API gateway for employee front end portal, I wanted to implement a gateway to verify the Microsoft access_token passed and obtain the (sid / object_id) to cross check with my employee database for function access.
As for the Administrator front end portal, it will be responsible for sync-ing the users front Azure AD daily automatically or the admin trigger the sync manually.
What confuses me was there are several ways to obtain the access_token, some tokens managed to return the info i wanted but I'm not entirely sure if that is the correct implementation.
For the case of verifying and sync-ing users from azure AD, both accepting different access_token in order to get the data/information.
Anyone expert here mind to guide me to the correct path of implementing the design above if not correct the implementation ?
After scouring the internet, I've found a variety of answers to this question, but nothing is clear. With an Azure AD app, it looks like Yammer Delegate permissions are included so I would imagine that I could use then ADAL token from the app, to interact with Yammer APIs but have been running into issues. Has anyone else got this working? Is there any way to silently authenticate with yammer in SharePoint online?
The Yammer Delegate permissions are a preview feature. Long-term we plan to integrate fully with the O365 developer experience, but aren't quite there yet. Today, Yammer supports a number of scenarios that don't align with O365. Once the product better aligns it's going to be possible to provide much deeper integration (not just limited to developer APIs.) One limitation of the delegate permission is that it won't work with networks that are using Yammer Identity. Another is that some endpoints might not accept the tokens.
The supported authentication flows for Yammer are documented on the developer site and these support users with all authentication types for Yammer. With these APIs you'll end up juggling an additional Yammer-only token. It is possible to use impersonation to silently authenticate users without them being prompted to authorize the Yammer app. There is a blog post providing an overview of how this can be used in combination with the Yammer JS SDK, but the tokens could be used from other clients.
Since I have my users log in and password, can I silently log into their Microsoft Graph?
I want to fetch info from Office 365 API from a server app, so therefor I cannot have a Microsoft Login Window popping up.
Thanks
You want to use the confidential client flow for authenticating the Graph API. See the section "Daemon or Server Application to Web API" in this document for details. Of course you'll need to be the admin of you Azure AD, or have the admin's trust and blessing, in order to use this flow as the user isn't involved in the process themselves.
I've been trying to use it for calendaring apps. The flow login works fine but be aware that there are some limitations on using the Graph API with this authentication flow type (specifically interacting with Unified Groups calendars in my case).