Friday, March 08, 2013

Authentication and Authorization with remote apps in Office 365 and SharePoint Online (Part 1)

This post is detailing about how you perform authentication and authorization from a remote app in SharePoint Online.
Especially, when the remote apps are running on a Non .Net technology platforms. Which means we can’t use the OOTB ‘TokenHelper’ class.
The entire flow needs to only use simple HttpRequests.
I am going to break this into 3 parts:
  1. Register a Remote App in SharePoint
  2. Get the 'AccessToken’ via the Azure ACS and SharePoint dance
  3. Call SharePoint REST Service with the AccessToken
Right now I am using the .Net HttpRequest class to perform this entire example and understand the entire flow. I am going to convert this into a JavaScript library soon so that it can be easily consumed by any external platforms. Ok, so lets get started.

Register a Remote App in SharePoint

There is some good guidance around registering an app for SharePoint but in our case we just want to register an app to perform the OAuth from a remote application so the only good option is to register it via ‘/_layouts/15/appregnew.aspx’.

image
There are 3 pieces of information that we need from the app registration:
  • client_id          = App Id
  • client_secret   = App Secret
  • redirect_uri     = Redirect URI

Get the 'AccessToken’ via the Azure ACS and SharePoint dance

There are 3 steps to this dance:
Step 1: Get the Request token
Getting the request token just requires a well formed Url with all the 3 pieces of information that we collected during the app registration.

image
(See this app permissions section for all the Scope and Rights available in SharePoint Online.)
This Url would redirect to the msonline login screen and after you enter the credentials if you prompt you with the trust screen:

image

image

Once you trust the app, it would redirect back to the ‘redirect_uri’ configured during the app registration along with the request token in the querystring

image

Step 2: Get the Realm

image
(This method is taken directly from TokenHelper class. The targetApplicationUri is the SharePoint Online url)
Step 3: And finally, Get the Access Token
Now that we have the requestToken and realm, we need to create a POST request to ACS to get back the access token

image

Call SharePoint REST Service with the AccessToken

The only thing to remember before calling the SharePoint REST API’s is to make sure that we requested the correct Scope and Rights while generating the access token. In the code above I request ‘AllProfile.Manage’ as my scope so I can call the User Profile REST API’s.
image
That’s it. Once we have the access token we can call all the SharePoint REST API’s that fetches the data. For creating, updating and deleting we need to get 1 more piece of data which is RequestDigest. I will cover this in my next post on uploading documents to SkyDrive Pro using REST API.

Reference Links: 

Tips and FAQs: OAuth and remote apps for SharePoint 2013
OAuth authentication and authorization flow for apps that ask for access permissions on the fly in SharePoint 2013 (advanced topic)
Get started with the SharePoint 2013 REST service
Using the SharePoint 2013 REST service


Download the Code from https://github.com/jomit/OAuthO365

 

5 comments:

Anonymous said...

Hi

Thanks for sharing!

I'm in desperate need of the javascript equivalent, have you had the time to do this yet?

Thanks

Unknown said...

Nice post very helpful

dbakings

Anonymous said...

I had a question. We setup a default sharepoint dev site on Office365. There are 4 urls

company.sharepoint.com
company-public.sharepoint.com
company-my.sharepoint.com
company.sharepoint.com/search

We are using company-public.sharepoint.com but are getting errors.

Any Help - THanks

Anonymous said...

Thanks for Sharing most excellent post to do OAuth without using .Net

I have 1 question . When we set up Sharepoint, there were 4 URLs.

company.sharepoint.com
company-my.sharepoint.com
company-public.sharepoint.com

We are using company-public as thats the only one that returns a WWW-Authneticate header.

However we are not able to access docs, or other items. We get a Not Authorized Exception.

Any Help - thanks Atul

Anonymous said...

Excellent job :D saved my day
Thanks

AddIn