SharePoint Token type is not allowed

[edmundrotimi]

I am using an authentication object but each time I try I get an '{"error":"invalid_request","error_description":"Token type is not allowed."}'

auth := &strategy.AuthCnfg{
     SiteURL:      os.Getenv("SPAUTH_SITEURL"),
     ClientID:     os.Getenv("SPAUTH_CLIENTID"),
     ClientSecret: os.Getenv("SPAUTH_CLIENTSECRET"),
}

I have registered the new app using https://{site}/_layouts/15/AppRegNew.aspx and given full permission to the app using https://{site}/_layouts/15/appinv.aspx

 <AppPermissionRequests AllowAppOnlyPolicy="true">
    <AppPermissionRequest Scope="http://sharepoint/content/sitecollection" 
     Right="FullControl" />
 </AppPermissionRequests>

I can likewise see the app is available in the Site App Permission list using https://{site}/_layouts/15/appprincipals.aspx and I can use the client id and client secret in postman without error.

[koltyakov]

Hey @edmundrotimi could it be this?

[jhoelzel]

for me that worked! thank you

[koltyakov]

Added this info to the docs.

[edmundrotimi]

Thanks, @koltyakov and @jhoelzel , for the reply. When I eventually deploy, will I need to apply this fix to a Linux environment?

[koltyakov]

Nothing to do with the library or your solution, it's SharePoint tenant configuration.

[edmundrotimi]

@koltyakov I implemented the fix but cannot connect to the API. Each time I try to add a folder, I get the error "unable to request API: 403 Forbidden:: {"error":{"code":"-2147024891, System.UnauthorizedAccessException", "message":{"lang": "en-US", "value": "Access denied."}}}" but it works when I try:

       client := &gosip.SPClient{AuthCnfg: auth}

       sp := api.NewSP(client)

       res, err := sp.Web().Select("Title").Get()
       if err != nil {
            fmt.Println(err)
       }

       fmt.Printf("%s\n", res.Data().Title)

[jhoelzel]

To be honest im ending up with the same result here, but so far i thought it was me: 2023/03/24 00:20:56 Error uploading file: unable to request api: 403 Forbidden :: {"error":{"code":"-2147024891, System.UnauthorizedAccessException","message":{"lang":"de-DE","value":"Zugriff verweigert."}}}

My guess is that something with the token auth went offline with the deprication of some auth mechanism for new customers. Or in other wirds MS is cleaning up.

I followed this guide three times (for a single site) to now avail on my end: https://github.com/s-kainet/node-sp-auth/wiki/SharePoint-Online-addin-only-authentication

My curret guess is that it now needs to be an active directory app with the correct permissions in the graph api.

"Sites.FullControl.All" still give me permission denied though.

On a related note is there a way to see als these clients i have created to delete them?

best, Johannes

PS: thanks for this repository, this is exactly what i need

[edmundrotimi]

@jhoelzel to see the client created you can use https://.sharepoint.com/sites//_layouts/15/appprincipals.aspx

[koltyakov]

Dummy question, are you sure you didn't generate AddIn creds by a user who has only read only permissions to actual content?

AddIn Only is trying to be dropped off by MS. If you start experiencing issues it could be time migrating to the recommended authentication via Azure Apps. If it's a dev-time experience or you can't go with Azure App configuration immediately On-Demand auth could work as an alternative.

I have not yet faced any issues with AddIn in my tenant, btw.

[edmundrotimi]

@koltyakov, thanks for the reply. Kindly permit my question, within the On-Deman login, can you kindly clarify what "SPAUTH_SITEURL" refers to

[koltyakov]

@edmundrotimi that's siteUrl parameter, not necessarily get it from env variables. It's site collection/site URL where you target the code to communicate with SharePoint API.

Same as here:

On-Demand opens the site in anonymous browser session where you can authenticate with a user credentials, confirm 2FA if needed, when the popup closes and session token is passed to the code.

Keep in mind this technique work well when you can code from your local machine, for development time, not for headless jobs on a server.

[edmundrotimi]

@koltyakov thanks for the reply. I am still faced with the same error pattern despite using On-Deman login. I can access the site name using:

   client := &gosip.SPClient{AuthCnfg: auth}

   sp := api.NewSP(client)

   res, err := sp.Web().Select("Title").Get()
   if err != nil {
        fmt.Println(err)
   }

   fmt.Printf("%s\n", res.Data().Title)

However, each time I try to create a folder, I get the error "unable to request API: 403 Forbidden: {"error":{"code":"-2147024891, System.UnauthorizedAccessException", "message":{"lang": "en-US", "value": "Access denied."}}}".

[koltyakov]

Sounds you actually have no permissions for this action. Did you check you can do same action in UI?

[edmundrotimi]

@koltyakov I can create multiple folders and files from the UI.

[edmundrotimi]

@koltyakov I have double-checked the permission multiple times to confirm I have access.

[koltyakov]

Please share code how you're creating a folder.

[edmundrotimi]

@koltyakov sending it now. Thanks.

[koltyakov]

Are you actually trying using this: sharepoint.CreateFolder("parentPath", "folderName")?

Parent path parameter which you then use in sp.Web().GetFolder(parentPath) will fail if the path doesn't stand for a valid serverRelativeURL of an existing folder. Check the samples out https://go.spflow.com/samples/documents#adding-new-folder.

Folders should only be created in SPFolder objects, it can't be a random path.

P.S. You leaked client/secret, so I removed your last message to avoid somebody taken the creds. I'd recommend to remove the adding registration which was leaked.

[edmundrotimi]

Hi @koltyakov, thanks for the reply. I deleted the credentials already. I will check https://go.spflow.com/samples/documents#adding-new-folder. Thanks again.

[edmundrotimi]

@koltyakov since the GetFolder gets the folder object that exists in SP already, why do the Folders().Add give an error if the parent folder already exists.

[koltyakov]

The folder path should be a correct server relative path of an existing folder in a document library.

Try this:

randomParentFolder := uuid.New().String() // Random name so each time it pass the test

// Getting a common library will exclude the path is incorrect
docsRootFolder := sp.Web().Lists().GetByTitle("Documents").RootFolder()
parentFolder, err := docsRootFolder.Folders().Add(randomParentFolder)
if err != nil {
  log.Fatal(err)
}

// This is a sample of a path you need to provide to GetFolder() method
fmt.Printf("Parent folder relative path: %s\n", parentFolder.Data().ServerRelativeURL)

// Getting by the parent and creating a child
childFolder, err := sp.Web().GetFolder(parentFolder.Data().ServerRelativeURL).Folders().Add("childFolder")
if err != nil {
  log.Fatal(err)
}

// The path of a child folder
fmt.Printf("Child folder relative path: %s\n", childFolder.Data().ServerRelativeURL)

// Clean up test
if err := sp.Web().GetFolder(parentFolder.Data().ServerRelativeURL).Delete(); err != nil {
  log.Fatal(err)
}

[edmundrotimi]

@koltyakov Thanks for the help; your last message was really helpful.

[koltyakov]

So I guess AddIn also should work. My expectations is that you were getting 403 while just constructing a resource path which doesn't exist or trying creating a folder outside a document library.

Going to close this. Thanks for using the library!