Can't get it working with SharePoint online

[svdoever]

I have a site on SharePoint online, normally I authenticate with my company e-mail address and my company password. Should this scenario also work with sp-rest-proxy? In this case i'm normally redirected to my company login page and then redirected back to the sharepoint site.

[koltyakov]

Hi Serge,

sp-rest-proxy uses sp-request for delivering requests to SharePoint, which uses node-sp-auth for authentication. Luckily, some time before, ADFS support was added to the available authentication mechanisms.

You are the first to ask about ADFS for sp-rest-proxy. It's not a big deal to wrap up the new auth parameters, available in node-sp-auth, into sp-rest-proxy. But I need some time to do it in a robust way and update the readme file.

Theoretically (I didn't test it), if you take config/_private.conf.json and add ADFS auth parameters (username, password, relyingParty, adfsUrl) it would work, as all the parameters from the private config are passed to credentialOptions. The password can be in a plain or hashed forms as well. Also, it's is necessary to get sure that sp-request is updated to v. 2.x.x or higher.

[koltyakov]

Please check the following settings capability on this page.

For ADFS auth these settings shall be used:

• ADFS user credantials:
  • username
  • password
  • relyingParty
  • adfsUrl

The only thing, I had no chance to check it as there is no ADFS configured environment at my disposal right now.

[svdoever]

Hi @koltyakov, thank you so much for diving into this!

What is the best way to update sp-request to 2.x.x when using sp-rest-proxy by installing it through npm?

I now have the following configuration:

{
    "siteUrl":"https://mycompany.sharepoint.com/sites/MySite",
    "username":"serge@mycompany.nl",
    "password":"mypassword",
    "relyingParty": "urn:sharepoint:portal",
    "adfsUrl": "https://sts.mycompany.nl/adfs"

}

Is this somewhere near what you would expect?

[koltyakov]

What is the best way to update sp-request to 2.x.x when using sp-rest-proxy by installing it through npm?

You could update current version sp-rest-proxy to latest one, which consists a reference to newest sp-request by running:

npm install sp-rest-proxy@latest --save-dev

It will update it's dependencies automatically, including s-request with node-sp-auth.

--save or --save-dev options should correspond to current dependency type.

I now have the following configuration

Configuration seems to be correct.

[svdoever]

I found here that "For SharePoint Online this parameter should be equal to urn:federation:MicrosoftOnline".

I used the sample code from https://github.com/s-KaiNet/node-sp-auth:

var spauth = require('node-sp-auth');
var request = require('request-promise');

spauth
    .getAuth('https://mycompany.sharepoint.com/sites/mysite', {
        username: 'serge@mycompany.nl',
        password: 'password',
        relyingParty: 'urn:federation:MicrosoftOnline',
        adfsUrl: 'https://sts.mycompany.nl'
    })
    .then(function (data) {
        var headers = data.headers;
        headers['Accept'] = 'application/json;odata=verbose';

        request.get({
            url: 'https://mycompany.sharepoint.com/sites/mysite/_api/web',
            headers: headers,
            json: true
        }).then(function (response) {
            console.log(response.d.Title);
        });
    });

but can't get it working... do you know of any tool to test against the company STS if url is correct and login works?

I get the following error:

Unhandled rejection TypeError: Cannot read property '0' of undefined
    at /Users/Serge/projects/serge/MyCompanySharePointOnlineAuthentication/node_modules/node-sp-auth/lib/src/auth/resolvers/AdfsCredentials.js:58:86

Im a bit clueless on how to go from here....

[s-KaiNet]

Hi Serge, let me try to jump in :) Can you please confirm that you have at least read permissions on the root site collection for your sharepoint tenant, i.e. https://mycompany.sharepoint.com ?

[koltyakov]

Also, could you please check your relying party like here in the article?

[svdoever]

@s-KaiNet I have read permissions on the root site collection.

@koltyakov I don't have access to the environment to check this:-(

With Fiddler wee see that a POST is done on https://sts.mycompany.nl/adfs/services/trust/13/usernamemixed

A SAM token is returned, his token is posted to https://mycompany.sharepoint.com/_trust/, which should return a FedAuth cookie. This does not happen. SharePoint Online gives a HTML-response containing “Something went wrong…” so no cookies are set.

Problem seems to be that SharePoint Online does not accept SAML tokens from ADFS , the ADFS SAML should be retrieved at the Microsoft Online Security Token Service (https://login.microsoftonline.com/extSTS.srf), and that token should be sent to SharePoint Online. But how?

[s-KaiNet]

Hmm.. may be my assumption regarding ADFS with SharePoint online was wrong...
In that case, can you try to use user credentials directly? I.e. SharePoint Online user credentials authentication supplying your company name and password? SharePoint Online user creds auth does exactly the same thing you described - post to MS Online STS, then posts received token to SP Online.
May be that will work.
The other last option you can use (if everything fails) is addin only authentication

[s-KaiNet]

Besides I will try to reproduce your error. The problem I'm having is absence of valid configured environment (SP Online + ADFS).

[svdoever]

I tried the SharePoint online user credentials example you provided, but get the error (i'm sure my password is correct):

Unhandled rejection Error: <S:Fault>
  <S:Code>
    <S:Value>S:Sender</S:Value>
    <S:Subcode>
      <S:Value>wst:FailedAuthentication</S:Value>
    </S:Subcode>
  </S:Code>
  <S:Reason>
    <S:Text xml:lang="en-US">Authentication Failure</S:Text>
  </S:Reason>
  <S:Detail>
    <psf:error>
      <psf:value>0x80048821</psf:value>
      <psf:internalerror>
        <psf:code>0x80041012</psf:code>
        <psf:text>The entered and stored passwords do not match.</psf:text>
      </psf:internalerror>
    </psf:error>
  </S:Detail>
</S:Fault>
    at OnlineUserCredentials.postToken (C:\q\DeloiteAuthenticate\node_modules\node-sp-auth\lib\src\auth\resolvers\OnlineUserCredentials.js:90:19)
    at C:\q\DeloiteAuthenticate\node_modules\node-sp-auth\lib\src\auth\resolvers\OnlineUserCredentials.js:59:26
    at tryCatcher (C:\q\DeloiteAuthenticate\node_modules\bluebird\js\release\util.js:16:23)
    at Promise._settlePromiseFromHandler (C:\q\DeloiteAuthenticate\node_modules\bluebird\js\release\promise.js:510:31)
    at Promise._settlePromise (C:\q\DeloiteAuthenticate\node_modules\bluebird\js\release\promise.js:567:18)
    at Promise._settlePromise0 (C:\q\DeloiteAuthenticate\node_modules\bluebird\js\release\promise.js:612:10)
    at Promise._settlePromises (C:\q\DeloiteAuthenticate\node_modules\bluebird\js\release\promise.js:691:18)
    at Async._drainQueue (C:\q\DeloiteAuthenticate\node_modules\bluebird\js\release\async.js:138:16)
    at Async._drainQueues (C:\q\DeloiteAuthenticate\node_modules\bluebird\js\release\async.js:148:10)
    at Immediate.Async.drainQueues [as _onImmediate] (C:\q\DeloiteAuthenticate\node_modules\bluebird\js\release\async.js:17:14)
    at processImmediate [as _immediateCallback] (timers.js:383:17)

[s-KaiNet]

Created an issue inside node-sp-auth - SharePoint Online via ADFS auth doesn't work

[s-KaiNet]

I've configured SP Online with ADFS authentication and got exactly the same error. I took domain from my old blog - spblog.net. Also I've verified, that Office 365 adds urn:federation:MicrosoftOnline as relying party trust under ADFS server. I've tried following configuration and got your error:

{
  username: 'johnsmith@spblog.net',
  password: '[password]',
  relyingParty: 'urn:federation:MicrosoftOnline',
  adfsUrl: 'https://adfs3'
}

Then I've tried to use the same user, johnsmith@spblog.net with SharePoint Online user credentials authentication and it works!

{
  username: 'johnsmith@spblog.net',
  password: '[password]',
}

The question is, why it doesn't work for you.
My assumption, you have some special characters inside your username or password, which are not parsed correctly.

@svdoever if you have in username or password any characters other than letters and digits (like ', &, $ etc), can you please post them here (only special characters of course), so I will try to reproduce this behavior?

Meanwhile I will try to make it work with adfs...

[svdoever]

Thanks for all the work you go through!!! I have a $ on my password.... will try to change my password tomorrow!

[koltyakov]

Hi, there was an update to node-sp-auth. @svdoever, could you please check if v1.2.0 works for you?

[s-KaiNet]

Hi, there was an update to node-sp-auth.

yep, thanks Andrew, you are faster than me :)
@svdoever right, I fixed this issue and now for SharePoint online you can provide any credentials - adfs or not, node-sp-auth will determine which option to use. Also I've updated wiki regarding adfs auth with SharePoint online.
Now all you need is provide your company username and password. I strongly believe that now it should works for you.

[svdoever]

Brilliant!!! It works! You saved my day! node-sp-auth working.... now I will try sp-rest-proxy...