question

AndriiMykhailiuk-3968 avatar image
0 Votes"
AndriiMykhailiuk-3968 asked ·

After getting auth token for SharePoint online get HTTP 401 with it

Moved from Windows Dev Center Forum

Hello,

I am developing native app: C++ with HTTP so please don't suggest .NET or JavaScript libraries :) The app should access SharePoint Online. I used to use X-Forms-Auth and "FedAuth" cookie but now need to migrate to OAuth.

1) I have registered the app in azure portal (got secret, marked redirect URI, added read/write permissions for SharePoint)

2) Then I perform OAuth flow by opening browser with

https://login.microsoftonline.com/common/oauth2/authorize
?client_id=
&response_type=code
&redirect_uri=https://login.microsoftonline.com/common/oauth2/nativeclient
&resource=https://testorg.sharepoint.com/

it redirects to my redirect URI and I parse out the code, as expected. Then I do

POST https://login.microsoftonline.com/b51447fd-f997-4080-bf24-833070bc14bd/oauth2/token
client_id=
&client_secret=
&grant_type=authorization_code
&redirect_uri=https://login.microsoftonline.com/common/oauth2/nativeclient
&resource=https://testorg.sharepoint.com/
&response_mode=form_post
&code=

this also returns the expected JSON from where I get "access_token".

3) Later I call any SharePoint/WebDav API (e.g. SOAP UserGroup.asmx/GetCurrentUserInfo, Webs.asmx/WebUrlFromPageUrl) on https://testorg.sharepoint.com with the obtained token in auth header (Authorization:Bearer ) but get 401. However, all works fine when I follow X-Forms-Auth.

Here are permissions from
JWT:

 AllSites.Manage MyFiles.Read MyFiles.Write TermStore.Read.All TermStore.ReadWrite.All User.Read User.Read.All User.ReadWrite.All

alt text

Can anyone help me here, please?

PS: I was advised to ask under SharePoint Online product but there is no such product here

azure-active-directory
api-permissions.png (25.5 KiB)
· 1
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

What is the error code and detailed error message that you get with HTTP 401 ?

0 Votes 0 · ·

1 Answer

FrankHuMSFT-3200 avatar image
0 Votes"
FrankHuMSFT-3200 answered ·

I'm following up on this. We will need some more information in regards to this, can you please provide the information that Shashi was requesting? If you can get a fiddler trace and provide the error response that would be much more beneficial. Are you sure that the token has the right permissions/scps?

You can decode your JWT Tokens here : https://jwt.ms/

The Claims tab will also provide an explanation of what the claims in your JWT token are supposed to do.

Also, it's suggested to utilize the microsoft graph api when possible. The sharepoint rest api should be available on the msft graph API: https://docs.microsoft.com/en-us/graph/api/resources/sharepoint?view=graph-rest-1.0


The Azure Q&A Forums do not support Sharepoint as they are still on the MSDN Forums. These forums can be found here :
https://social.msdn.microsoft.com/Forums/en-US/home?category=openspecifications
Protocol Reference can be found here:
https://docs.microsoft.com/en-us/openspecs/sharepoint_protocols/ms-spprotlp/8a50af28-2b50-43d8-9c5a-3e520255ef7e

Specifically for OAuth2 and Sharepoint Servers, you can find the technical docs on implementation here : https://docs.microsoft.com/en-us/openspecs/sharepoint_protocols/ms-sps2sauth/f80a09df-8e0e-434f-93bd-a348d52a8022

Accessing the Sharepoint Server API call you are referring to is going to be dependent on the Sharepoint Server's OAuth Authentication. The technical doc provided above is a part of the same doc repo as the getCurrentUserInfo API call as it's a part of the openspec, so I would suggest making sure that your implementation follows the technical doc.

GetCurrentUserInfo reference : https://docs.microsoft.com/en-us/openspecs/sharepoint_protocols/ms-asws/d8bf93a5-69b4-4d3c-9154-d5bc1eaa542f







· 3 · Share
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Thanks for the info, @FrankHuMSFT-3200


Please find the HTTP trace for GetCurrentUserInfo attached. Permissions are set to FULL at the moment for testing purposes. Those and permissions from the token are listed in the original question.


I don't want to rewrite my app to graph API at the moment even though it might be a more modern and convenient way.


The reference to the SharePoint protocol you gave describes s2s auth while I have a native client app, so I cannot follow it.


0 Votes 0 · ·

anyone please?

0 Votes 0 · ·
MarileeTurscak avatar image MarileeTurscak AndriiMykhailiuk-3968 ·

Hi Andrii,

Can you please send me an email at AzCommunity@microsoft.com and include your subscription ID?

I would like to open a free support case for you so that we can troubleshoot this thoroughly.

0 Votes 0 · ·