I'm developing a web application that uses Office 365 authentication.
I need to access users' SharePoint files. The app is a Multi-Tenant application, it means that I don't know the Sharepoint URL, but I can use Microsoft Discover API to discover the Sharepoint URL of the current user.
I want to acess sharepoint files using the Microsoft.Sharepoint.Client library. Consider the following code:
ClientContext context = new ClientContext("https://discoveredserver.sharepoint.com");
// The SharePoint web at the URL.
Web web = context.Web;
// We want to retrieve the web's properties.
context.Load(web);
I get a 403 not authorized because the client object doesn't have the credentials. The problem is that I can't set credentials during runtime because I don't have it, the only thing that I have is the Bearer token, which allows the connection to the Sharepoint API, using an HTTP header authorization.
Is there any way to set the Bearer token in the Sharepoint client to call Sharepoint Web Services?
The following example demonstrates how to explicitly specify Bearer Token in ClientContext:
public static ClientContext GetClientContext(Uri webUri)
{
var ctx = new ClientContext(webUri);
ctx.ExecutingWebRequest += delegate(object sender, WebRequestEventArgs e)
{
string realm = TokenHelper.GetRealmFromTargetUrl(webUri); //get the realm
string accessToken = TokenHelper.GetAppOnlyAccessToken(TokenHelper.SharePointPrincipal, webUri.Authority, realm).AccessToken; //get access token
e.WebRequestExecutor.WebRequest.Headers.Add("Authorization", "Bearer " + accessToken);
};
return ctx;
}
Usage
using (var ctx = GetClientContext(webUri))
{
ctx.Load(ctx.Web);
ctx.ExecuteQuery();
}
The ACS-based access token used by a SharePoint provider-hosted app cannot be used for other services such as the Discovery Service.
http://blogs.msdn.com/b/kaevans/archive/2015/03/20/an-architecture-for-sharepoint-apps-that-call-other-services.aspx
If you need to use the Discovery Service or other services protected by Azure AD, you will need to first authenticate the user using Azure AD.
http://blogs.msdn.com/b/kaevans/archive/2015/03/23/using-openid-connect-with-sharepoint-apps.aspx
Once authenticated, you need to request an access token specific to the resource requested. My example shows Exchange Online, but you can change this to use the SharePoint Online API easily.
http://blogs.msdn.com/b/kaevans/archive/2015/03/23/call-o365-exchange-online-api-from-a-sharepoint-app.aspx
use the secure setting
string pass="your password"
SecureString password = new SecureString();
foreach (var item in pass.ToCharArray())
{
password.AppendChar(item);
}
var ctx = new ClientContext("yourSiteName");
ctx.Credentials = new SharePointOnlineCredentials(username, password);
Related
I have
Registered Azure Application
that have full control permissions to the SharePoint site
and these variables
SharePoint Site Url
TenantId
ClientId
ClientSecret
I need to upload a document to the SharePoint Site Folder.
I tried to use PnP Core SDK but I am not able to configure the Authentication, it seems that there is no authentication provider to just accept plain password (UsernamePasswordAuthenticationProvider does not accept name of the application as a username).
Overall the PnP Core SDK is adding a lot of complexity to my console application because it depends on Microsoft.Extensions.Hosting.Host.
is there a way how to authenticate via PnP or should I use REST API directly?
Alternatively the PnP Framework that will be deprecated (if I understand the documentation correctly) can authenticate towards Azure Application, but this is only documentation I found.
Any idea or recommendation?
Update
When I try this (PnP Framework)
using Microsoft.SharePoint.Client;
using PnP.Core.Model.SharePoint;
using PnP.Framework;
ClientContext context =
new AuthenticationManager()
.GetACSAppOnlyContext(
siteUrl: "siteUrl",
appId: "clientId",
appSecret: "password");
IFolder? folder = (IFolder?)context.Web.Folders.Where(f => f.Name == directory).FirstOrDefault();
if (folder == null) throw new Exception("Folder not found.");
folder.Files.Add(filename, content, overwrite);
I am getting this exception
Microsoft.SharePoint.Client.CollectionNotInitializedException: 'The
collection has not been initialized. It has not been requested or the
request has not been executed. It may need to be explicitly
requested.'
Any Idea how to explicitly request the collection?
According to my research and testing, if you want to connect to SharePoint Online with Azure App credentials, you can use the following code, and then upload file to SharePoint:
string siteUrl = "https://contoso.sharepoint.com/sites/demo";
using (var cc = new AuthenticationManager().GetACSAppOnlyContext(siteUrl, "[Your Client ID]", "[Your Client Secret]"))
{
cc.Load(cc.Web, p => p.Title);
cc.ExecuteQuery();
Console.WriteLine(cc.Web.Title);
};
Here is a document about upload file to SharePoint, you can refer to the code in this document: Upload a document to a SharePoint list from Client Side Object Model
Also, you can try to install Microsoft.SharePointOnline.CSOM to fix the error:
Microsoft.SharePoint.Client.CollectionNotInitializedException: 'The
collection has not been initialized. It has not been requested or the
request has not been executed. It may need to be explicitly
requested.'
More information for reference: Granting access using SharePoint App-Only
Create ClientContext
using Microsoft.SharePoint.Client;
using PnP.Framework;
ClientContext _context =
new AuthenticationManager()
.GetACSAppOnlyContext(
siteUrl: siteUrl,
appId: appId,
appSecret: appSecret);
Method for uploading the file
public void UploadFile(Stream stream, string listTitle, string directory, string filename, bool overwrite)
{
List list = _context.Web.Lists.GetByTitle(listTitle);
var url = Path.Combine(directory, filename);
var file = new FileCreationInformation() { ContentStream = stream, Overwrite = overwrite, Url = url };
var addedFile = list.RootFolder.Files.Add(file);
_context.Load(addedFile);
_context.ExecuteQuery();
}
Call example
UploadFile(stream, "Documents", "Shared Documents/FooSubFolder/", "filename.txt", true)
I am trying to automatize the provision of a SharePoint Online Site Collection. I am doing it with SharePoint CSOM. If I create the ClientContext(Microsoft.SharePoint.Client) object
with SharePointOnlineCredentials, everthing works fine such as creating sub sites/list/libraries, upload custom master pages, setting web properties etc. (By the way we are using Publishing Site)
ClientContext ctx = new ClientContext(contextWebUrl);
SecureString sec_pass = new SecureString();
Array.ForEach(contextPassword.ToArray(), sec_pass.AppendChar);
sec_pass.MakeReadOnly();
ctx.Credentials = new SharePointOnlineCredentials(contextUserName, sec_pass);
return ctx;
But i don't have user's password on production environment because we have to use ADAL authentication and we have only Access Token. So i have to create ClientContext object by using this token. Like;
ClientContext ctx = new ClientContext(siteUrl);
ctx.ExecutingWebRequest += delegate (object sender, WebRequestEventArgs e)
{
e.WebRequestExecutor.WebRequest.Headers.Add("Authorization", "Bearer " + siteToken.AccessToken);
if (digestValue != null)
{
e.WebRequestExecutor.WebRequest.Headers.Add("X-RequestDigest", digestValue.FormDigestValue);
e.WebRequestExecutor.WebRequest.Accept = "application/json;odata=verbose";
}
};
return ctx;
by this way getting something from SharePoint works but if i try to _set_ something such as create a subsite or deploy a master page to catalogs library i am getting 401 as below.
Access denied. You do not have permission to perform this action or access this resource
I thought that it was an update issue but even though i have used X-RequestDigest nothing changed.
Some people have encountered same issue when uploading documents but all answers are about using rest api directly and this cant solve my issue.
The token which is being used in second method is related to application client Id.
So Azure application needs necessary permission as similar as user's. In Azure Portal/Azure Active Directory, i gave AllSites.FullControl permission to the application which i use to signin and get access token.
Hereby this problem has been resolved.
I configured azure application proxy for our on-premise hosted web service and turned on Azure AD authentication. I am able to authenticate using ADAL but must find a way to get the token and call web service without ADAL now (we are going to use this from Dynamics 365 online and in sandbox mode I can't use ADAL). I followed some examples regarding service to service scenario and I successfully retrieve the token using client credentials grant flow. But when I try to call the app proxy with Authorization header and access token, I receive an error "This corporate app can't be accessed right now. Please try again later". Status code is 500 Internal server error.
Please note the following:
I don't see any error in app proxy connectors event log.
I added tracing on our on-premise server and it seems like the call never comes there.
If I generate token with ADAL for a NATIVE app (can't have client_secret so I can't use client credentials grant flow), I can call the service.
I created an appRole in manifest for service being called and added application permission to the client app.
This is the way I get the token:
public async static System.Threading.Tasks.Task<AzureAccessToken> CreateOAuthAuthorizationToken(string clientId, string clientSecret, string resourceId, string tenantId)
{
AzureAccessToken token = null;
string oauthUrl = string.Format("https://login.microsoftonline.com/{0}/oauth2/token", tenantId);
string reqBody = string.Format("grant_type=client_credentials&client_id={0}&client_secret={1}&resource={2}", Uri.EscapeDataString(clientId), Uri.EscapeDataString(clientSecret), Uri.EscapeDataString(resourceId));
HttpClient client = new HttpClient();
HttpContent content = new StringContent(reqBody);
content.Headers.ContentType = new System.Net.Http.Headers.MediaTypeHeaderValue("application/x-www-form-urlencoded");
using (HttpResponseMessage response = await client.PostAsync(oauthUrl, content))
{
if (response.IsSuccessStatusCode)
{
DataContractJsonSerializer serializer = new DataContractJsonSerializer(typeof(AzureAccessToken));
Stream json = await response.Content.ReadAsStreamAsync();
token = (AzureAccessToken)serializer.ReadObject(json);
}
}
return token;
}
AzureAccessToken is my simple class marked for serialization.
I assume it must be something I haven't configured properly. Am I missing some permissions that are required for this scenario?
Any help is appriciated.
I'm trying for the first time to get access to 365 using oauth2, for my Native Application.
I have registered my application in Azure AD.
The documentation says, "...In the Azure Management Portal, select your application and choose Configure in the top menu. Scroll down to keys."
But in (my) Azure Application, Configure properties, I only have Name, Client ID, URL and Logo, and the Permissions area - No "Keys" area.
Am I missing something?
Web Application And/OR Web API
As tou are looking for KEYS , You need to create your application in AD as Web Application or web API
then you can find the Key and secret.
Native Client Application
If you're developing a native client app, you don't need the keys because this auth flow doesn't require them.
So first of all you need to use ADAL (Active Directory Authentication Library) use the right version for your client program.
Then you should to reference your AD configuration for the App, note there are no KEYs required.
// Native client configuration in AzureAD
private string clientID = "3dfre985df0-b45640-443-a8e5-f4bd23e9d39f368";
private Uri redirectUri = new Uri("http://myUrl.webapi.client");
Then prepare AD authority URL and create the Auth Context.
private const string authority = "https://login.windows.net/cloudalloc.com";
private AuthenticationContext authContext = new AuthenticationContext(authority);
That's all, after that you need to ask for access tokens depending on the resource you want to access.
AuthenticationResult result = null;
try
{
result = authContext.AcquireToken(resource, clientId, redirectUri, PromptBehavior.Never);
}
catch (AdalException ex)
{
if (ex.ErrorCode != "user_interaction_required")
{
// An unexpected error occurred.
MessageBox.Show(ex.Message);
}
}
the resource could be a webapi or office 365 resource URI
We are using Azure AD authentication for one of our client application. We want to implement claims based authorization along with it.
Our application set up is Angular Based client app connecting with Web API (both client server secured using Azure AD Bearer Authentication). Server application is hosted using OWIN.
We need to provide custom authorization on server side. There is a provision in Azure AD for adding users and roles. However, that is not enough for us. Our user management is through AD & Security Groups. To gain access to application, users need to part of a base group and further rights (access particular section of application, edit a specific entity etc.) are assigned based on additional groups or given directly to users in the application. Essentially, not all users will be registered in the application and we may have to query the AD using graph API to check which all application specific groups they belong.
OWIN authentication and authorization model is based on Authentication Server and Resource server. We can separate them on need basis. However, in our case, we need to split the authentication and authorization. When the client presents the bearer token, we need to verify if the token is valid and then add claims to user profile. We also need to cache the user claims so that we do not hit the database frequently. (Our client app make multiple Web API calls in one user action.)
What is the location in Identity 2.0 where
I can verify the token &
insert application specific claims
If my entire application revolves around the user authorization and all queries need to be filtered on what data the user can access, which is a more suitable design pattern for the Web API application?
I believe what you're looking for are the Authentication and Authorization filters in the ASP.NET Web API 2.0 stack.
You can implement per-web method authorization by implementing System.Web.Http.Filters.IAuthorizationFilter on an attribute class, then decorate the web action methods of your service controller with that attribute. Web API 2.0 will select a method based on URL routing, notice that there is an attribute on that method implementing IAuthorizationFilter, and will call the ExecuteAuthorizationFilterAsync method on that attribute instance before calling the web method. Placing the authorization step before the web method invocation allows invalid requests to be discarded quickly, before getting into the heavy lifting of parameter binding.
The incoming token is validated by an IAuthenticationFilter implementation which executes before the authorization step.
Documentation and examples are extremely hard to find. Here's one of the few search results that are actually relevant: http://thegrumpycoder.com/post/105427070626/secure-web-services-with-web-api-and-sitecore
you can check if this helps...
UserProfile profile = new UserProfile(); //To deserialize the response stream (JSON)
string tenantId = ClaimsPrincipal.Current.FindFirst(TenantIdClaimType).Value;
AuthenticationResult result = null;
try
{
// Get the access token from the cache
string userObjectID =
ClaimsPrincipal.Current.FindFirst("http://schemas.microsoft.com/identity/claims/objectidentifier")
.Value;
AuthenticationContext authContext = new AuthenticationContext(Startup.Authority, new NaiveSessionCache(userObjectID));
//use ClientID, ClientSecret
ClientCredential credential = new ClientCredential("b557ceed-xxxx-xxxx-xxxx-xxxxxxxbc240", "AXFxx//xxxxxxxxxxxxxjVFz4sqYm8NDAPEOLkU=");
result = authContext.AcquireTokenSilent("https://graph.windows.net", credential,
new UserIdentifier(userObjectID, UserIdentifierType.UniqueId));
// AcquireTokenSilent may throw exception if the cache is empty. In that case, logout the user and make him login.
string requestUrl = String.Format(
CultureInfo.InvariantCulture,
"https://graph.windows.net/cdmsdev.onmicrosoft.com/groups/b40xxxx-14a8-xxxx-9559-xxxxxxca90c8/members/?api-version=1.6");
//Above grap API url is for getting list of users who belong to a specific group (with GUID b40xxxx-1....)
HttpClient client = new HttpClient();
HttpRequestMessage request = new HttpRequestMessage(HttpMethod.Get, requestUrl);
request.Headers.Authorization = new AuthenticationHeaderValue("Bearer", result.AccessToken);
HttpResponseMessage response = client.SendAsync(request).Result;
if (response.IsSuccessStatusCode)
{
var upn = ClaimsPrincipal.Current.Identity.Name;
string responseString = response.Content.ReadAsStringAsync().Result;
profile = JsonConvert.DeserializeObject<UserProfile>(responseString);
if (profile.Users.Contains(upn)) //check if the current user is in the list of users of the Admin group
return true;
}
}
catch (Exception e)
{
//handle authorization exception here
}
The graph API URL can be replaced with a function to check for membership of a specific group which will directly return a bool value instead of getting all users of that group.