SP Online authentication question

[brett0701]

Hi,

We recently moved our SharePoint instance to SharePoint online. To access SharePoint online api, we had to register an app and obtain tenant-id, client-id/client-secret and then use that information to obtain a token. Once we have the bearer token we can then access the SP API. Does this library offer this type of authentication?

[koltyakov]

Hi @brett0701,

Are you referencing SharePoint Add-In of AAD App Registration?

Please take a look at these strategies:

• Add-In Only Auth: https://go.spflow.com/auth/strategies/addin
• Azure AD App Auth: https://go.spflow.com/auth/custom-auth/azure-certificate-auth

Add-In Only Auth is considered legacy and on the long run will be completely replaced with AAD auth. On some new tenants, Add-In Only auth (in my knowledge) might be disabled by default.

There is also a capability for injecting custom authentication flows (https://go.spflow.com/auth/custom-auth).

[koltyakov]

I would also like to improve AAD auth within Gosip; and add these strategies into core, currently AAD strategies are in experimental repo. So if existing implementation doesn't cover some edge cases please feel free reaching me with requests.

[koltyakov]

I'd recommend reading this article https://docs.microsoft.com/en-us/sharepoint/dev/solution-guidance/security-apponly-azuread

The described flow is implemented in https://go.spflow.com/auth/custom-auth/azure-certificate-auth

It's likely that only Certificate Based auth will work with SharePoint. Others (available in AAD https://docs.microsoft.com/en-us/azure/developer/go/azure-sdk-authorization#use-environment-based-authentication) will return "401 Unauthorized :: Unsupported app only token.".

I added environment variables injection through private.json files:

// UPD: this is to /azureenv auth, for /azurecert (the new strategy I added recently) the payload is strictly defined
{
  "siteUrl": "https://contoso.sharepoint.com/sites/site",
  "env": {
    "AZURE_TENANT_ID": "74881cec-5c58-4ac0-a11f-0fd2e9caa4af",
    "AZURE_CLIENT_ID": "d7202cb6-fc7d-45f6-bcfd-c24128ee4df8",
    "AZURE_CERTIFICATE_PATH": "./certs/MyCert.pfx",
    "AZURE_CERTIFICATE_PASSWORD": "MyPass"
  }
}

Variables places into env property are set up as environment variables for Azure AD library and unset right after it reads them.

[koltyakov]

Going to close this.

[brett0701]

Hi Andrew.  Thanks for all of the information.  I'm not sure any of the current solutions fit my need.  Basically we need to only pass the bearer token in the header when accessing the Sharepoint online list.  The token is obtained by calling https://accounts.accesscontrol.windows.net/ /tokens/OAuth/2 .  To obtain the token, you need to have the ClientID, ClientSecret, Tenant Id and resource.  The token does contain an expiry date so that must be checked before making calls to SharePoint online.  Once you have the token, you can then use that for Sharepoint Online API access. Regards, Brett On Friday, January 15, 2021, 06:21:44 AM EST, Andrew Koltyakov notifications@github.com wrote:

Going to close this.

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub, or unsubscribe.

[koltyakov]

Hi @brett0701,

accounts.accesscontrol.windows.net is used with Add-In Only auth. Yes, this is covered. Tenant ID is optional and not required, just ClientID and ClientSecret.

Please check, should just work.