Token Usage
RSteeno opened this issue · 3 comments
I have a general question around the use of this library. I see that it states it supports the MS Graph API as well as 3rd party APIs (assume those registered in AAD). Can this library be used to request a token that can be used to access the SharePoint/Project Online Rest APIs (non-MS Graph version)?
As long as you can grant your application access to the API in the azure portal, you can use use this library. I believe the azure portal lets you set permission for Sharepoint APIs. Is this what you are looking for?
Well, my ultimate goal is to get some data from the Project Online API from Java. It is proving to be quite a complex process to get an authentication token and i was hoping that this SDK had it built it.
First Approach - SharePoint Add-On (app principal)
First step was to register a SharePoint Add-In and grant specific AddIn permissions to the add-in: https://docs.microsoft.com/en-us/sharepoint/dev/sp-add-ins/register-sharepoint-add-ins
Result
This add-in was able to access the SharePoint APIs (.sharepoint.com/_api/site/rootweb to get web and list data by way of the access token i received from ACS. However, when trying to get Project Online data via .sharepoint.com/pwssite/_api/ProjectData/Projects it fails with access denied.
Based on this failure, i have seen some articles online that state that a user context is required to access the Project Online apis; so i have since moved on to the next approach.
Second Approach - User Context
I started with the SharePoint CSOM in .NET an am using the SharePointOnlineCredential class to provide username and password. This works great when i try can pull the list of projects as well as access SharePoint lists. This process basically performs the following (thanks to fiddler) to get a SPOIDCRL cookie which in my understanding is what provides access to Sharepoint and Project Data.
- Call to login.microsoftonline.com/GetUserRealm.srf to figure out which kind of AAD domain we have, in my case it is federated to otka.
- The STSAuthUrl is then extracted from the response and is called. This is the "active" wsfed endpoint which accepts a user name and password within a soap message.
- Soap message is back from the STSAuthUrl call and is tehn submitted to login.microsoftonline.com/rst2.srf. this returns a binary security token within a soap response.
- Binary security token is then sent in authorization header as BPOSIDRCL t= to .sharepoint.com/_vti_bin/idcrl.svc. This call retunrs the SPOIDCRL cookie used for subsequent calls.
I am by no means and expert in this area but know enough to usually get things working in .NET. Java is a different story (i can barely spell java) and the examples I found don't work and i was hoping that this SDK supported the above flow based on some of the WSTrust* classes i see in here.
Also, I do have an incident open with MSFT Premier support, but i'm going on a week of getting no help.