This post is detailing about how you perform authentication and authorization from a remote app in SharePoint Online.
Especially, when the remote apps are running on a Non .Net technology platforms. Which means we can’t use the OOTB ‘TokenHelper’ class.
The entire flow needs to only use simple HttpRequests.
I am going to break this into 3 parts:
- Register a Remote App in SharePoint
- Get the 'AccessToken’ via the Azure ACS and SharePoint dance
- Call SharePoint REST Service with the AccessToken
Right now I am using the .Net HttpRequest class to perform this entire example and understand the entire flow. I am going to convert this into a JavaScript library soon so that it can be easily consumed by any external platforms. Ok, so lets get started.
Register a Remote App in SharePoint
There is some good guidance around
registering an app for SharePoint but in our case we just want to register an app to perform the OAuth from a remote application so the only good option is to register it via ‘
/_layouts/15/appregnew.aspx’.
There are 3 pieces of information that we need from the app registration:
- client_id = App Id
- client_secret = App Secret
- redirect_uri = Redirect URI
Get the 'AccessToken’ via the Azure ACS and SharePoint dance
There are 3 steps to this dance:
Step 1: Get the Request token
Getting the request token just requires a well formed Url with all the 3 pieces of information that we collected during the app registration.
(See this app permissions section for all the Scope and Rights available in SharePoint Online.)
This Url would redirect to the msonline login screen and after you enter the credentials if you prompt you with the trust screen:
Once you trust the app, it would redirect back to the ‘redirect_uri’ configured during the app registration along with the request token in the querystring
Step 2: Get the Realm
(This method is taken directly from TokenHelper class. The targetApplicationUri is the SharePoint Online url)
Step 3: And finally, Get the Access Token
Now that we have the requestToken and realm, we need to create a POST request to ACS to get back the access token
Call SharePoint REST Service with the AccessToken
The only thing to remember before calling the SharePoint REST API’s is to make sure that we requested the correct Scope and Rights while generating the access token. In the code above I request ‘AllProfile.Manage’ as my scope so I can call the User Profile REST API’s.
That’s it. Once we have the access token we can call all the SharePoint REST API’s that fetches the data. For creating, updating and deleting we need to get 1 more piece of data which is RequestDigest. I will cover this in my next post on uploading documents to SkyDrive Pro using REST API.
Reference Links:
Tips and FAQs: OAuth and remote apps for SharePoint 2013
OAuth authentication and authorization flow for apps that ask for access permissions on the fly in SharePoint 2013 (advanced topic)
Get started with the SharePoint 2013 REST service
Using the SharePoint 2013 REST service
Download the Code from https://github.com/jomit/OAuthO365