question

AndriiMykhailiuk-3968 avatar image
0 Votes"
AndriiMykhailiuk-3968 asked HolparPeter-3393 answered

After getting auth token for SharePoint online get HTTP 401 with it

Moved from Windows Dev Center Forum

Hello,

I am developing native app: C++ with HTTP so please don't suggest .NET or JavaScript libraries :) The app should access SharePoint Online. I used to use X-Forms-Auth and "FedAuth" cookie but now need to migrate to OAuth.

1) I have registered the app in azure portal (got secret, marked redirect URI, added read/write permissions for SharePoint)

2) Then I perform OAuth flow by opening browser with

https://login.microsoftonline.com/common/oauth2/authorize
?client_id=
&response_type=code
&redirect_uri=https://login.microsoftonline.com/common/oauth2/nativeclient
&resource=https://testorg.sharepoint.com/

it redirects to my redirect URI and I parse out the code, as expected. Then I do

POST https://login.microsoftonline.com/b51447fd-f997-4080-bf24-833070bc14bd/oauth2/token
client_id=
&client_secret=
&grant_type=authorization_code
&redirect_uri=https://login.microsoftonline.com/common/oauth2/nativeclient
&resource=https://testorg.sharepoint.com/
&response_mode=form_post
&code=

this also returns the expected JSON from where I get "access_token".

3) Later I call any SharePoint/WebDav API (e.g. SOAP UserGroup.asmx/GetCurrentUserInfo, Webs.asmx/WebUrlFromPageUrl) on https://testorg.sharepoint.com with the obtained token in auth header (Authorization:Bearer ) but get 401. However, all works fine when I follow X-Forms-Auth.

Here are permissions from
JWT:

 AllSites.Manage MyFiles.Read MyFiles.Write TermStore.Read.All TermStore.ReadWrite.All User.Read User.Read.All User.ReadWrite.All

alt text

Can anyone help me here, please?

PS: I was advised to ask under SharePoint Online product but there is no such product here

azure-active-directory
api-permissions.png (25.5 KiB)
· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

What is the error code and detailed error message that you get with HTTP 401 ?

0 Votes 0 ·
FrankHuMSFT-3200 avatar image
0 Votes"
FrankHuMSFT-3200 answered MarileeTurscak-MSFT commented

I'm following up on this. We will need some more information in regards to this, can you please provide the information that Shashi was requesting? If you can get a fiddler trace and provide the error response that would be much more beneficial. Are you sure that the token has the right permissions/scps?

You can decode your JWT Tokens here : https://jwt.ms/

The Claims tab will also provide an explanation of what the claims in your JWT token are supposed to do.

Also, it's suggested to utilize the microsoft graph api when possible. The sharepoint rest api should be available on the msft graph API: https://docs.microsoft.com/en-us/graph/api/resources/sharepoint?view=graph-rest-1.0


The Azure Q&A Forums do not support Sharepoint as they are still on the MSDN Forums. These forums can be found here :
https://social.msdn.microsoft.com/Forums/en-US/home?category=openspecifications
Protocol Reference can be found here:
https://docs.microsoft.com/en-us/openspecs/sharepoint_protocols/ms-spprotlp/8a50af28-2b50-43d8-9c5a-3e520255ef7e

Specifically for OAuth2 and Sharepoint Servers, you can find the technical docs on implementation here : https://docs.microsoft.com/en-us/openspecs/sharepoint_protocols/ms-sps2sauth/f80a09df-8e0e-434f-93bd-a348d52a8022

Accessing the Sharepoint Server API call you are referring to is going to be dependent on the Sharepoint Server's OAuth Authentication. The technical doc provided above is a part of the same doc repo as the getCurrentUserInfo API call as it's a part of the openspec, so I would suggest making sure that your implementation follows the technical doc.

GetCurrentUserInfo reference : https://docs.microsoft.com/en-us/openspecs/sharepoint_protocols/ms-asws/d8bf93a5-69b4-4d3c-9154-d5bc1eaa542f







· 3
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Thanks for the info, @FrankHuMSFT-3200


Please find the HTTP trace for GetCurrentUserInfo attached. Permissions are set to FULL at the moment for testing purposes. Those and permissions from the token are listed in the original question.


I don't want to rewrite my app to graph API at the moment even though it might be a more modern and convenient way.


The reference to the SharePoint protocol you gave describes s2s auth while I have a native client app, so I cannot follow it.


0 Votes 0 ·

Hi Andrii,

Can you please send me an email at AzCommunity@microsoft.com and include your subscription ID?

I would like to open a free support case for you so that we can troubleshoot this thoroughly.

0 Votes 0 ·
Michael-Maillot avatar image
0 Votes"
Michael-Maillot answered Michael-Maillot edited

Hi Andrii,

The problem is that in AAD Application Permission Context, you can't interact with a SharePoint site using the Client ID / Secret method. The only way is to use the Client ID / JWT Assertion method, which means by certificate.

I've made an answer about that here.

As you're working on C++, it looks like there's no MSAL for it at this time... So if you have to get a token through HTTPS requests, you have to construct the JWT Assertion.

@jeremythake give links here about how stuff works and what you need to do in order to get your token.

And beware if you get your token and want to update the SharePoint User Profile or update the Term Store: it won't work. To update the User Profile, you have to use the legacy SharePoint App-Only principal approach. But the update of the Term Store is not possible anyway. More info here.

Hope that it helps.


5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

HolparPeter-3393 avatar image
0 Votes"
HolparPeter-3393 answered

See this response regarding the same issue:
Web Services - 401 UNAUTHORIZED

Actually this is expected, because add-in auth uses OAuth and bearer tokens for authentication. Only modern REST API supports it. That's why all asmx services will throw an error.
So for asmx you need FedAuth cookie, which is generated only by username\password auth, which, in turn, doesn't work for you







5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.