How to query the Sharepoint REST api (not the Graph api) using an Azure AD registered application?

Question

I have a web application registered in Azure AD and have it working with the Graph API. But I would like to be able to instead query the Sharepoint REST API.

I have added the sharepoint delegated permission scope "AllSites.Read" to my application (in addition to the Graph API scopes that I was using before) and request this scope (in addition to the other delagated msgraph scopes) when I get the oauth token from the user. I successfully get the token, using https://login.microsoftonline.com/common/oauth2/v2.0 for the authorization/token calls, but am unable to make a successful query:

My query looks like client.get(f"https://{tenant}.sharepoint.com/_api/web/lists") where tenant is the tenant of the particular user who's token I am using.

The error I get looks like {'error_description': 'Invalid issuer or signature.'} with reason="Token contains invalid signature.";category="invalid_client"' in the header of the response.

I am able to query the Graph api, but would like to also be able to query the Sharepoint REST api, because the Graph api is is insufficient for my actual use case, which will be to get Sharepoint groups (Graph api does not give sharepoint groups when I ask for groups, only Office 365 and Azure AD groups).

Update: The permissions I've set on the app:

I have not added any scopes in Expose API, I don't know if I need to. I did not need this part to have it working with Graph API.

Lastly I'll mention that in Postman, controlled environment purely with this as the request, with OAuth 2.0:

• Auth URL: https://login.microsoftonline.com/common/oauth2/v2.0/authorize
• Access Token URL: https://login.microsoftonline.com/common/oauth2/v2.0/token
• client_id
• client_secret
• Scope: AllSites.Read

I get a token successfully, with all the roles, although it still doesn't give me access to https://<tenant>.sharepoint.com/_api/web/lists . I get the following error:

    "error": {
        "code": "-2147024891, System.UnauthorizedAccessException",
        "message": {
            "lang": "en-US",
            "value": "Access denied. You do not have permission to perform this action or access this resource."
        }
    }
}

which admittedly is probably a step forward from the invalid client error I was getting before, but still quite stuck.

Answer 1

I was able to get this to work in Postman:

• OAuth 2.0
• Grant Type: Authorization Code
• Auth URL: https://login.microsoftonline.com/common/oauth2/v2.0/authorize
• Access Token URL: https://login.microsoftonline.com/common/oauth2/v2.0/token
• Client ID: <client_id>
• Client Secret: <client_secret>
• Scope: https://<tenant>.sharepoint.com/AllSites.FullControl

The token I get back has all of the permissions that I set on the application, including the Graph API ones and the Sharepoint scopes that I did not request in the Scope parameter of the auth request:

"scp": "AllSites.FullControl AllSites.Read Directory.Read.All Files.Read.All Group.Read.All MyFiles.Read Sites.Read.All Sites.Search.All User.Read User.Read.All", which was a little surprising.

A key point was setting the tenant url in the scope so that the aud parameter in the token comes back for the right tenant. It was coming back before configured for the resourceAppId associated with the Graph permissions ( 00000003-0000-0000-c000-000000000000 ), rather than the Sharepoint permissions. This way, aud got set to https://<tenant>.sharepoint.com and I was able to access https://<tenant>.sharepoint.com/_api/web/lists .

Answer 2

You can try to get the acccess token in PostMan for a testing purpose.

Callback URL:        https://www.getpostman.com/oauth2/callback
Auth URL :           https://login.microsoftonline.com/common/oauth2/authorize?resource=https://<tenant_name>.sharepoint.com  
Access Token URL :   https://login.microsoftonline.com/common/oauth2/token  
Client ID :          <Application_ID>  
Client Secret :      <KEY>  
Grant Type :         Authorization Code 

Will pop up a login window to sign in and then generate the access token and get the SharePoint groups:

Reference:

Use Postman and Azure AD to send REST request to SharePoint Online