missing oauth2 instructions

[zubairk14]

Describe the bug The AddIn Only Auth section references that we can use OAuth bearer tokens for authenticating HTTP requests, but there's no example of an OAuth credential use...

// AuthCnfg - AddIn Only auth config structure
type AuthCnfg struct {
    // SPSite or SPWeb URL, which is the context target for the API calls
    SiteURL string `json:"siteUrl"`
    // Client ID obtained when registering the AddIn
    ClientID string `json:"clientId"`
    // Client Secret obtained when registering the AddIn
    ClientSecret string `json:"clientSecret"`
    // Your SharePoint Online tenant ID (optional)
    Realm string `json:"realm"`
}

Versions ALL

To Reproduce n/a

Expected behavior Expecting some field to pass in a bearer token.

Screenshots

Additional context Add any other context about the problem here.

[koltyakov]

Hi @zubairk14,

Based on Client ID/Secret the AddIn Only strategy gets Bearer and uses it as an auth header.

If you already have a Bearer (e.g. retrieved with browser protocol automation) you can use it without other auth strategies.

E.g.:

package main

import (
    "fmt"
    "log"

    "github.com/koltyakov/gosip"
    "github.com/koltyakov/gosip/api"
    strategy "github.com/koltyakov/gosip/auth/anon"
)

func main() {
    auth := &strategy.AuthCnfg{}
    client := &gosip.SPClient{AuthCnfg: auth}

    sp := api.NewSP(client)
    sp.Conf(&api.RequestConfig{Headers: map[string]string{"Authorization": "Bearer eyJr...fq7w"}})

    res, err := sp.Web().Select("Title").Get()
    if err != nil {
        log.Fatal(err)
    }

    fmt.Printf("%s\n", res.Data().Title)
}

It could be helpful if you describe what you're going to achieve.

[zubairk14]

Hi Andrew, thank you for the super fast response!

I'm building a tool where users can link their SharePoint and perform a scan of their SharePoint resources. I don't imagine people will be interested in sharing their client secret directly, so I was hoping to use an OAuth2.0 flow (where a bearer token is generated).

If you already have a Bearer (e.g. retrieved with browser protocol automation) you can use it without other auth strategies.

So it won't be through AuthCnfg b/c there's no token field

    SiteURL  string `json:"siteUrl"`  // SPSite or SPWeb URL, which is the context target for the API calls
    TenantID string `json:"tenantId"` // Azure Tenant ID
    ClientID string `json:"clientId"` // Azure Client ID
    CertPath string `json:"certPath"` // Azure certificate (.pfx) file location, relative to config location or absolute
    CertPass string `json:"certPass"` // Azure certificate export password

    authorizer  autorest.Authorizer
    privateFile string
    masterKey   string
}

instead you're saying I can directly pass in like this?

sp.Conf(&api.RequestConfig{Headers: map[string]string{"Authorization": "Bearer eyJr...fq7w"}})

no siteurl, tenantid, clientid necessary?

[koltyakov]

I'd say to look at Azure Multi-tenant App. Azure auth strategy: cert, device.

[zubairk14]

is Azure Device Flow supported for SharePoint on-premises or only SharePoint Online (Cloud) ?

[koltyakov]

Yes, Azure AD auth can be only used with SPO, as far as I know.

[koltyakov]

Going to close it. Feel free to reopen if needed.

[zubairk14]

Hi Andrew, does your library require app permissions for auth instead of delegated permissions? Or both should work? https://learn.microsoft.com/en-us/graph/auth/auth-concepts

[koltyakov]

Hi @zubairk14,

Please checkout this this or that for cert based (App permissions). Delegated should work for creds flow in theory (need to check) however I always used App permissions instead.