Really need your help here. struggling with this for almost a week and still have not found how to do it.
Get access denied all the time.
Browser scenario works for me
I have a gmail user let's name it testuser#gmail.com which is registered in sharepoint and have permissions to access a site.
In the browser, when I enter https://mytenant.sharepoint.com/subSite2 it uses Ouath2, it prompts me to select the user
I select testuser#gmail.com and then it signs me in.
Then I run the following sharepoint rest api https://mytenant.sharepoint.com/subSite2/_api/web and it works!!!
I have no problem with none external users, I use the https://paulryan.com.au/2014/spo-remote-authentication-rest/
article and all works!!.
For external user I understand that I need to use the Oauth2 authentication.
I have an app registered in Azure AD with Sharepoint Sites.Read.All and Sites.Search.All.
I'm using java, and I tried to do it with code with all possible oauth2 authentication flows (https://learn.microsoft.com/en-us/azure/active-directory/develop/msal-authentication-flows), using MSAL and ADAL.
I pass the client id and secret and manage to login, but when I run the rest api with the required headers:
Authorization: Bearer <token_access>
Accept: application/json;odata=nometadata
I get:
{"error_description":"Exception of type 'Microsoft.IdentityModel.Tokens.AudienceUriValidationFailedException' was thrown."}
Can anyone give me a clue how to do this?? This is the list of stuff I tried:
https://www.advaiya.com/blog/access-sharepoint-rest-api-using-oauth/
https://github.com/AzureAD/microsoft-authentication-library-for-java/wiki/Scenarios
Download the samples and none of it work for me
https://medium.com/#anoopt/accessing-sharepoint-data-using-postman-sharepoint-rest-api-76b70630bcbf
(but this does not include using a user :( )
Thank you very much!!!
Did you go for SharePoint App registration:
https://yourtenantname.sharepoint.com/_layouts/15/appregnew.aspx
, which basically involves creating an app and assigning permissions:
https://yourtenantname.sharepoint.com/_layouts/15/appinv.aspx
Permission XML Sample:
<AppPermissionRequests AllowAppOnlyPolicy="true">
<AppPermissionRequest Scope="http://sharepoint/content/sitecollection/web"
Right="FullControl"/>
</AppPermissionRequests>
and then trusting the app in SharePoint?
Then you can use generated client id and secret to get the access token that is further used in Authorization headers for SharePoint rest API requests.
Related
I am working on a PHP web app that needs to make HTTP requests to the Sharepoint API with Sites.Selected permission to a specific SharePoint site. It is NOT viable for me to provide a user sign-in experience so I need to treat it as a non-user/daemon application.
I've read the docs and looked at many different forums for the solution but as of yet I've been unsuccessfull in obtaining a SPO specific access token, although I think I'm close.
I am using this StackOverflow answer as a guide: https://stackoverflow.com/a/63386756/19038862
This is what I've done:
Registered an Azure App: (Image of my Azure App Overview)
Created a client secret in the App dashboard: (Image of the client secret page)
Successfully sent a request to https://login.microsoftonline.com/{{app_tenant_id}}/oauth2/v2.0/token using the client secret in Postman: (Image of Postman request)
The request made in step 3 returns an access token (I assume a MS Graph access token?), but it DOES NOT return a refresh token, which is what the afforementioned StackOverflow answer suggests you need to "swap" for an SPO specific access token.
How do I obtain this refresh token so that I can swap it for a SPO access token? Or what better way is there to get my hands on a SPO specific access token from a non-user app?
I wrote this gist to guide you into getting Sites.Selected access to the desired site:
https://gist.github.com/ruanswanepoel/14fd1c97972cabf9ca3d6c0d9c5fc542
This guide shows you how to configure this as Application permissions, and via the Graph API.
I've found going through the Graph API is the best way to go.
Also strangely it's not possible to get delegated Sites.Selected permissions. You must set it up as an Application permission.
In the guide is described that you have to get a delegated auth token from graph but you are getting an application auth token. The token response of this flow does not contain a refresh_token. See here.
But you already wrote that you are not able to provide a user sign-in experience. One workaround would be to once manually get the access_token and refresh_token of a user with the delegated flow and then periodically get a new access_token with the refresh_token on your server. You could store these values in your database and update them when you fetch a new one.
First, the daemon-based client credential flow does not return a refresh token for you. You also can't redeem the refresh token of the graph API for an access token for SPO, which are two completely different API resources.
To get an access token for SPO you just need to set scope to: https://{tenant-name}.sharepoint.com/.default.
I try to integrate with Microsoft Teams like get class, add class ...
I have access as admin to Teams, and I get tenant id and client id, but require redirect_uri. I don't know what thas mean ? I can put a http://localhost ..? and how to do this , right now I download xammp ...
I use postman to get and post api , I need a brief step and information to do this, I look to official documentation of Microsoft Teams I don't understand all think so I need a good programmer to help understand every step.
Regards
To access any protected resource like Microsoft Graph API, you need to register in Azure AD, get a token. During the app registration you need to specify the Redirect URI/reply URL; it's the location where the authorization server sends the user once the app has been successfully authorized and granted an authorization code or access token. Authorization server sends the code or token to the redirect URI, so it's important you register the correct location as part of the app registration process. Here are the steps.
I understand how to access the Sharepoint REST API using interactive authentication, i.e. having a user at the computer type a username/password into a webapp. Is there a way to let a commandline app access the API? e.g. connect and query a Sharepoint list without user intervention?
I've registered a native client in the tenant and have an AppId (no app secret) but all API calls return 401 Unauthorized. I've also tried accessing via the Graph API but get 403 Forbidden. These are both using the access_token from the initial client_credentials flow of a tenant registered web app, which I would expected to have worked.
It doesn't appear to be possible to get an access_token using only an AppId as the flow requires a client secret.
This says:
This type of permission requires administrator consent and is also not
available for native client applications
which doesn't appear to make sense as it requires administrator permissions for something that can't be done. If native clients can't access APIs it's not clear what they're for. Perhaps the above refers to web apps rather than native clients, i.e. an Admin can allow a web app to connect using an access_token without a user context.
Regarding getting the token from SharePoint (using the SharePoint REST API) please see my answer to this post: https://stackoverflow.com/a/52582017/6445723
The mechanism is basically the same, you do the POST request described there from your application and get the answer in the FormDigestValue property. Use this value henceforth in ALL your API calls by placing it into the X-RequestDigest HTTP header.
AFAIK there is no difference in authentication mechanisms for native clients or other web applications. Some libraries like the SharePoint PnPJS can abstract out the REST call above, but they do pretty much the same thing.
You need to enable Basic Authentication credentials are sent in clear text in Authentication Providers. Goto Central Admin>> Security>>Security Authentication providers>> In Right side dropdown select the Application and click on default
Tick Basic Authentication in Claims Authentication Types
I would like to upload a given file to Sharepoint. I'm using the Microsoft Graph API.
The documentation follows this workflow:
1. If no token, redirect the user to the Microsoft signin page.
2. The user is then redirected to the application, with an access token
3. Use access token to have an authorization bearer
4. Do what you gotta do...
My problem is the sign-in part. I don't want my users to be redirected to the Microsoft signin page. I want my application to connect and get the access token in the background (with cURL or whatever).
How can I do that? Why is the "open in browser" necessary?
I tried to replicate the sign-in process, but all I get back is the HTML response from the signin page.
Thanks in advance.
Your application act as a single-tenant service or daemon app.
The documentation about this scenario is here : https://developer.microsoft.com/en-us/graph/docs/authorization/app_only
The application must be registered in the AzureAD directory corresponding to the Office365 tenant
A first request is made by passing the application unique identifier and secret key as registered in the directory. This request returns an access token
The access token can now be used in the Authorization header of the following request to the Microsoft Graph API.
This method (of using Client ID and Secret) works well but there are other ways which may be better suited for similar scenarios.
The one major thing which is missing in access token generated this way is a user, meaning the token only contains the identity of the OAuth application (client) which called it but is not associated with any user for the request.
This could have a couple of implications:
Since the token is not associated with a specific user you will not know who performed the operation. In your example, you would not know who uploaded the file (and other similar information may be missing).
Access token without users will not work at all for some methods. For those, you need a delegated token.
Creating a delegated token requires some effort, if you are interested you can find the details in my article:
Getting Access Token for Microsoft Graph Using OAuth REST API
I am relatively new to Azure Active Directory and the Graph API. My goal is to be able to write a python program which invokes the Graph APIs to create users in the Azure Active Directory. Let us assume that I have the credentials of the Global Admin for my Azure Active Directory.
I am following the documentation provided at this link. I am successfully able to create a user by using the Graph Explorer as I am using the Global Admin's credentials to login. However, I am unable to do the same via my python program (or even Postman REST client). I get an error message stating "Insufficient privileges to complete the operation." I am using the following python library to obtain an access token using the client credentials: ADAL python library
It looks like I am not following the correct procedure while obtaining the access token to make my call. I even tried obtaining the access token directly using a REST client. It would be great if someone could review the steps below to highlight any mistakes:
Step 1: Hit the following endpoint
[HTTPS]/login.microsoftonline.com/[my-organization]/oauth2/authorize?client_id=[client-id]&response_type=code&response_mode=query&resource=00000002-0000-0000-c000-000000000000
Step 2: Note down the 'code' query parameter from the above request. Then make the following request.
POST [HTTPS]/login.windows.net/[my-orgranization]/oauth2/token?api-version=1.0
HEADERS:
Content-type application/x-www-form-urlencoded
BODY:
code=[code received from Step 1]
client_id=[client id of my app in Azure]
client_secret=[client secret of my app in Azure]
grant_type=authorization_code
scope=openid
Please note that the values above were URL encoded appropriately.
I have even tried sending the global admin's credentials (username/password) in Step 2 as a last ditch effort but to no avail.
Any pointers in this regard would be greatly appreciated.
Thanks in advance.
The error you are receiving is a result of the configuration of your application. Specifically, you need to configure your app to have the proper permissions to create users when calling the AAD Graph API.
Take a look here at the permission scopes available through the AAD Graph API.
To create users you will need either Directory.ReadWrite.All or Directory.AccessAsUser.All. You can check that you have done this all correctly by looking at your access token, and confirming that these claims appear in your access token.
If you do not have these claims, go back to your app registration and make sure to add the appropriate permissions to the AAD Graph API.
Note that when you update your application's permissions, you will need to force a consent prompt again to consent to the new permissions you are requesting, otherwise the authentication will continue to succeed with the OLD permissions you have requested. In order to force consent, simply add &prompt=consent to the end of the authorize URL.
Let me know if this helps!