How to Access Sharepoint Online API with v1 Azure AD Application and Client Credentials
Question
I am unable to make an API call to Sharepoint Online using Postman. I have successfully made API calls to the Graph API so I am familiar with how I think this should work.
I have followed these instructions for setup:
- for creating a certificate and registering a v1 azure app: https://docs.microsoft.com/en-us/sharepoint/dev/solution-guidance/security-apponly-azuread
- for using the client credentials flow: https://docs.microsoft.com/en-us/azure/active-directory/develop/v1-oauth2-client-creds-grant-flow
- for creating a client assertion: https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-certificate-credentials
The first article says that it won't accept access tokens generated using a client secret, but I have generated tokens with a secret and a certificate and have found no difference.
When calling anything, such as:
https://<tenant>.sharepoint.com/_api/web
I get the error:
{"error_description":"Exception of type 'Microsoft.IdentityModel.Tokens.AudienceUriValidationFailedException' was thrown."}
here's a sample of the access token I generate with the v1 /token endpoint:
{
"aud": "https://microsoft.sharepoint-df.com/",
"iss": "https://sts.windows.net/462c0b***********c3708/",
"iat": 1569243291,
"nbf": 1569243291,
"exp": 1569247191,
"aio": "42FgYDiXt***********==",
"app_displayname": "T***********n",
"appid": "00c***********2b",
"appidacr": "2",
"idp": "https://sts.windows.net/46***********708/",
"oid": "2f8a5***********684",
"roles": [
"User.ReadWrite.All",
"TermStore.Read.All",
"Sites.FullControl.All"
],
"sid": "5ab8d57***********0bc",
"sub": "2f8a5***********684",
"tid": "462c0***********708",
"uti": "aHt8d***********9AA",
"ver": "1.0"
}
2 answers
solution1
0 2019-09-24 03:15:01
As you see in the first article, access tokens generated using a client secret is not-supported App only token authentication for SharePoint.
If you decode the access token, you will find that for "appidacr", if client ID and client secret are used, the value is "1". If a client certificate was used for authentication, the value is "2". See details here .
Client certificate is more more secure than client secret. It provides dual verification and protection.
You can refer to this 3rd-party article to get Azure AD app-only access token using certificate and use this access token to access your SharePoint resources.
Of course, the article you mentioned in the comment is also helpful. It uses ACS to finish authentication.
solution2
0 ACCPTED 2019-09-24 14:01:46
The error message seems to imply that my resource parameter in the /token endpoint call was set incorrectly. I believe this is omitted in the Microsoft documentation, since the documentation is so divided. The correct token endpoint call for a V1 app to call SharePoint Online looks like the following:
Web Service
POST https://login.microsoftonline.com/<TARGET-TENANT-ID OR NAME>/oauth2/token
Parameters
client_id= <Application ID from Azure Portal>
grant_type=client_credentials
resource= https://<TARGET-TENANT-NAME>.sharepoint.com
client_assertion_type= urn:ietf:params:oauth:client-assertion-type:jwt-bearer
client_assertion= <See Link Above to create assertion>
The links above omit how to calculate the x5t value for the certificate JWT. You can use this:
echo $(openssl x509 -in certificate.pem -fingerprint -noout) | sed 's/SHA1 Fingerprint=//g' | sed 's/://g' | xxd -r -ps | base64
which I got from here: How to obtain value of "x5t" using Certificate credentials for application authentication
If you try to use client secret instead of client assertion, you'll get a token back, but the SharePoint Online REST API will return:
Unsupported app only token.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.