新 O365 租户的 Sharepoint Online OAuth 2.0 无效令牌类型

Question

I have been using Sharepoint Online REST API to integrate with my O365 AddIn app which is working perfectly fine for my Old O365 tenant. However I am getting an error while I am trying to call any API with the Bearer token that I get for my new O365 tenant app.

{"error":"invalid_request","error_description":"Token type is not allowed."}

Is the auth token URL changed for new tenants, or is it something else.

I am using https://accounts.accesscontrol.windows.net/{{tenant_id}}/tokens/OAuth/2

Answer 1

Azure Access Control (ACS), a service of Azure Active Directory (Azure AD), got retired on November 7, 2018. This retirement doesn't impact the SharePoint Add-in model, which uses the https://accounts.accesscontrol.windows.net hostname (which isn't impacted by this retirement).

Check out Impact of Azure Access Control retirement for SharePoint add-ins .

Note that, you can connect SharePoint directly to Azure AD using token issuance policies .

SharePoint 2013, 2016, and SharePoint Online customers have long used ACS for authentication purposes in the cloud, on-prem, and hybrid scenarios. Some SharePoint features and use cases will be affected by ACS retirement, while others will not. The below table summarizes migration guidance for some of the most popular SharePoint feature that leverage ACS:

• Authenticating users from Azure AD

  • Previously, Azure AD did not support SAML 1.1 tokens required by SharePoint for authentication, and ACS was used as an intermediary that made SharePoint compatible with Azure AD token formats. Now, you can connect SharePoint directly to Azure AD using token issuance policies.

• App authentication & server-to-server authentication in SharePoint on-prem or SharePoint Online – SharePoint add-in registrations done through appregnew.aspx etc.

  • Not affected by ACS retirement; no changes necessary.

• Low trust authorization for SharePoint add-ins (provider hosted and SharePoint hosted)

  • Not affected by ACS retirement; no changes necessary.

• SharePoint cloud hybrid search

  • Not affected by ACS retirement; no changes necessary.

Answer 2

We had the same issue when using app-only, ClientID / ClientSecret based authentication in a tenant, that was recently created. In our old tenant (created in 2013) we could use the same authentication method without any problem. As it turned out, new tenants have a standard setting in DisableCustomAppAuthentication property, that disable this kind of auth., however it can be overriden using this command:

Set-SPOTenant -DisableCustomAppAuthentication $false

Source:

https://sharepoint.stackexchange.com/questions/284402/sharepoint-online-authorization-issue-token-type-is-not-allowed

https://sharepoint.stackexchange.com/questions/286693/getting-invalid-request-token-type-is-not-allowed-error-while-accessing-lists

Furthermore:

https://docs.microsoft.com/en-us/sharepoint/dev/solution-guidance/security-apponly-azureacs

Azure Access Control (ACS), a service of Azure Active Directory (Azure AD), has been retired on November 7, 2018. This retirement does not impact the SharePoint Add-in model, which uses the https://accounts.accesscontrol.windows.net hostname (which is not impacted by this retirement). For more information, see Impact of Azure Access Control retirement for SharePoint Add-ins. For new tenants, apps using an ACS app-only access token is disabled by default. We recommend using the Azure AD app-only model which is modern and more secure. But you can change the behavior by running 'set-spotenant -DisableCustomAppAuthentication $false' (needs the latest SharePoint admin PowerShell).

More details:

https://www.koskila.net/literally-breaking-changes-to-app-authentication-on-sharepoint-%F0%9F%98%B5/