This post is detailing about how you perform authentication and authorization from a remote app in SharePoint Online.
Especially, when the remote apps are running on a Non .Net technology platforms. Which means we can’t use the OOTB ‘TokenHelper’ class.
The entire flow needs to only use simple HttpRequests.
I am going to break this into 3 parts:
There are 3 pieces of information that we need from the app registration:
Step 1: Get the Request token
Getting the request token just requires a well formed Url with all the 3 pieces of information that we collected during the app registration.
(See this app permissions section for all the Scope and Rights available in SharePoint Online.)
This Url would redirect to the msonline login screen and after you enter the credentials if you prompt you with the trust screen:
Once you trust the app, it would redirect back to the ‘redirect_uri’ configured during the app registration along with the request token in the querystring
Step 2: Get the Realm
(This method is taken directly from TokenHelper class. The targetApplicationUri is the SharePoint Online url)
Step 3: And finally, Get the Access Token
Now that we have the requestToken and realm, we need to create a POST request to ACS to get back the access token
That’s it. Once we have the access token we can call all the SharePoint REST API’s that fetches the data. For creating, updating and deleting we need to get 1 more piece of data which is RequestDigest. I will cover this in my next post on uploading documents to SkyDrive Pro using REST API.
Reference Links:
Tips and FAQs: OAuth and remote apps for SharePoint 2013
OAuth authentication and authorization flow for apps that ask for access permissions on the fly in SharePoint 2013 (advanced topic)
Get started with the SharePoint 2013 REST service
Using the SharePoint 2013 REST service
Download the Code from https://github.com/jomit/OAuthO365
Especially, when the remote apps are running on a Non .Net technology platforms. Which means we can’t use the OOTB ‘TokenHelper’ class.
The entire flow needs to only use simple HttpRequests.
I am going to break this into 3 parts:
- Register a Remote App in SharePoint
- Get the 'AccessToken’ via the Azure ACS and SharePoint dance
- Call SharePoint REST Service with the AccessToken
Register a Remote App in SharePoint
There is some good guidance around registering an app for SharePoint but in our case we just want to register an app to perform the OAuth from a remote application so the only good option is to register it via ‘/_layouts/15/appregnew.aspx’.
There are 3 pieces of information that we need from the app registration:
- client_id = App Id
- client_secret = App Secret
- redirect_uri = Redirect URI
Get the 'AccessToken’ via the Azure ACS and SharePoint dance
There are 3 steps to this dance:Step 1: Get the Request token
Getting the request token just requires a well formed Url with all the 3 pieces of information that we collected during the app registration.
(See this app permissions section for all the Scope and Rights available in SharePoint Online.)
This Url would redirect to the msonline login screen and after you enter the credentials if you prompt you with the trust screen:
Once you trust the app, it would redirect back to the ‘redirect_uri’ configured during the app registration along with the request token in the querystring
Step 2: Get the Realm
(This method is taken directly from TokenHelper class. The targetApplicationUri is the SharePoint Online url) Step 3: And finally, Get the Access Token
Now that we have the requestToken and realm, we need to create a POST request to ACS to get back the access token
Call SharePoint REST Service with the AccessToken
The only thing to remember before calling the SharePoint REST API’s is to make sure that we requested the correct Scope and Rights while generating the access token. In the code above I request ‘AllProfile.Manage’ as my scope so I can call the User Profile REST API’s.
That’s it. Once we have the access token we can call all the SharePoint REST API’s that fetches the data. For creating, updating and deleting we need to get 1 more piece of data which is RequestDigest. I will cover this in my next post on uploading documents to SkyDrive Pro using REST API.
Reference Links:
Tips and FAQs: OAuth and remote apps for SharePoint 2013
OAuth authentication and authorization flow for apps that ask for access permissions on the fly in SharePoint 2013 (advanced topic)
Get started with the SharePoint 2013 REST service
Using the SharePoint 2013 REST service
Download the Code from https://github.com/jomit/OAuthO365
5 comments:
Hi
Thanks for sharing!
I'm in desperate need of the javascript equivalent, have you had the time to do this yet?
Thanks
Nice post very helpful
dbakings
I had a question. We setup a default sharepoint dev site on Office365. There are 4 urls
company.sharepoint.com
company-public.sharepoint.com
company-my.sharepoint.com
company.sharepoint.com/search
We are using company-public.sharepoint.com but are getting errors.
Any Help - THanks
Thanks for Sharing most excellent post to do OAuth without using .Net
I have 1 question . When we set up Sharepoint, there were 4 URLs.
company.sharepoint.com
company-my.sharepoint.com
company-public.sharepoint.com
We are using company-public as thats the only one that returns a WWW-Authneticate header.
However we are not able to access docs, or other items. We get a Not Authorized Exception.
Any Help - thanks Atul
Excellent job :D saved my day
Thanks
Post a Comment