search

pnp / PnP-Sites-Core

Microsoft 365 Dev PnP Core component (.NET) targeted for increasing developer productivity with CSOM based solutions.
Other
416 stars 643 forks source link

Creating modern site - App-Only is currently not supported #2284

Open tomaszoida opened 5 years ago

tomaszoida commented 5 years ago

I have a SharePoint Add-in, I'm getting access tokens using TokenHelper class. I have the error 'App-Only is currently not supported' trying to create a modern site. The problem is I'm not using an app-only token, but app+user token. I think there might be an issue in implementation of PnP method IsAppOnly https://github.com/SharePoint/PnP-Sites-Core/blob/master/Core/OfficeDevPnP.Core/Extensions/ClientContextExtensions.cs. It checks if there is a claim named upn, but there is no such claim in my app+user token. There are some differencies between app+user token and app-only token:

  1. claim "trustedfordelegation": "false" that is present in app-only token and absent in app+user.
  2. claim "actor": "7881f0bd-3ba6-4c26-824e-dc639d75a180@b1b54fd7-08b2-4b18-9e1a-233d9e70ea7f" is present in app+user token and absent in app-only.

I'm using TokenHelper.GetAccessToken to get app+user token and TokenHelper.GetAppOnlyAccessToken to get app-only token.

Could you consider reimplementation of IsAppOnly method, for example examining if there is upn or actor claim, instead of just upn?

Category

[x ] Bug [ ] Enhancement

Environment

[ x] Office 365 / SharePoint Online [ ] SharePoint 2016 [ ] SharePoint 2013

If SharePoint on-premises, what's exact CU version:

Expected or Desired Behavior

Not getting an error 'App-Only is currently not supported' using app+user token

Observed Behavior

I'm getting an error 'App-Only is currently not supported' trying to create a modern site using app+user token

Steps to Reproduce

Get token using TokenHelper.GetAccessToken class in a provider-hosted SP Add-in project.

Uri siteUri = this.spContext.SPHostUrl;
                        string contextToken = TokenHelper.GetContextTokenFromRequest(this.Request);
                        SharePointContextToken spContextToken = TokenHelper.ReadAndValidateContextToken(contextToken, this.Request.Url.Authority);
                        string accessToken = TokenHelper.GetAccessToken(spContextToken, siteUri.Authority).AccessToken;

Use this token getting client context

result = authenticationManager.GetAzureADAccessTokenAuthenticatedContext(url, credentials.Password);
                }

create a modern site using public static async Task<ClientContext> CreateAsync(ClientContext clientContext, TeamSiteCollectionCreationInformation siteCollectionCreationInformation)

example app-only access token, decoded token payload { "aud": "00000003-0000-0ff1-ce00-000000000000/**.sharepoint.com@b1b54fd7-08b2-4b18-9e1a-233d9e70ea7f", "iss": "00000001-0000-0000-c000-000000000000@b1b54fd7-08b2-4b18-9e1a-233d9e70ea7f", "iat": 1559906701, "nbf": 1559906701, "exp": 1559935801, "identityprovider": "00000001-0000-0000-c000-000000000000@b1b54fd7-08b2-4b18-9e1a-233d9e70ea7f", "nameid": "7881f0bd-3ba6-4c26-824e-dc639d75a180@b1b54fd7-08b2-4b18-9e1a-233d9e70ea7f", "oid": "6b5bf6aa-78ea-4f4b-92cf-b23b6730be65", "sub": "6b5bf6aa-78ea-4f4b-92cf-b23b6730be65", "trustedfordelegation": "false" }

example app+user access token, decoded token payload { "aud": "00000003-0000-0ff1-ce00-000000000000/**.sharepoint.com@b1b54fd7-08b2-4b18-9e1a-233d9e70ea7f", "iss": "00000001-0000-0000-c000-000000000000@b1b54fd7-08b2-4b18-9e1a-233d9e70ea7f", "iat": 1559906717, "nbf": 1559906717, "exp": 1559935817, "actor": "7881f0bd-3ba6-4c26-824e-dc639d75a180@b1b54fd7-08b2-4b18-9e1a-233d9e70ea7f", "identityprovider": "urn:federation:microsoftonline", "nameid": "100320004B74D871" }

ghost commented 5 years ago

Thank you for reporting this issue. We will be triaging your incoming issue as soon as possible.