Authenticate to Microsoft Entra Application Proxy with SharePoint session

Question

I'm developing a web part with SPFx that makes a call to a web API.

The API is protected with Microsoft Azure Application Proxy using Entra ID as the pre-authentication method.

Now, when I make a request with JavaScript's fetch(), I get redirected to the 'login.microsoftonline.com' page with the state parameter containing "InvalidTokenRetry".

I even tried setting 'credentials': 'include', but with no results.

Is there a way I can authenticate myself to the application proxy using only the session I have in SharePoint?

Thanks in advance.

Answer 1

Hi @Brian Sivieri

Thank you for posting this in Microsoft Q&A.

I understand that you want to Authenticate to Microsoft Entra Application Proxy with SharePoint session.

The "InvalidTokenRetry" error message suggests that there is an issue with the authentication token that is being used to access the API.

To authenticate yourself to the application proxy using only the session you have in SharePoint, you can try using the MSAL.js library to obtain an access token for your API. MSAL.js is a JavaScript library that enables you to authenticate users and acquire tokens to access protected APIs.

Here are the general steps you can follow to use MSAL.js to obtain an access token for your API:

1. Register your web API in Azure AD and obtain the client ID and tenant ID.
2. Configure your web API to accept tokens issued by Azure AD.
3. Register your SPFx web part in Azure AD and obtain the client ID.
4. Configure your SPFx web part to request permissions to access your web API.
5. Use MSAL.js to obtain an access token for your web API.
6. Include the access token in the Authorization header of your fetch () request to your web API.

For your reference: https://github.com/AzureAD/microsoft-authentication-library-for-js

Hope this helps. Do let us know if you any further queries.

Thanks,

Navya.

Answer 2

Hi @Brian Sivieri

I'm glad that you were able to resolve your issue and thank you for posting your solution so that others experiencing the same thing can easily reference this! Since the Microsoft Q&A community has a policy that "The question author cannot accept their own answer. They can only accept answers by others ", I'll repost your solution in case you'd like to "Accept " the answer.

Issue:

You are developing a web part with SPFx that makes a call to a web API. The API is protected with Microsoft Azure Application Proxy using Entra ID as the pre-authentication method. When you make a request with JavaScript's fetch (), you are redirected to the 'login.microsoftonline.com' page with the state parameter containing "InvalidTokenRetry". Even you tried setting 'credentials': 'include', but with no results. You are asking if there is a way to authenticate yourselves to the application proxy using only the session they have in SharePoint.

Solution:
Issue resolved by @Brian Sivieri

Unfortunately, it is not possible to authenticate with SharePoint's cookies. The only way is to authenticate with OAuth.

reference: https://github.com/MicrosoftDocs/entra-docs/blob/main/docs/architecture/auth-oauth2.md
If I missed anything please let me know and I'd be happy to add it to my answer, or feel free to comment below with any additional information.

Thank you again for your time and patience throughout this issue.

Thanks,

Navya.

Please remember to "Accept Answer" if any answer/reply helped, so that others in the community facing similar issues can easily find the solution.