Token Usage
RSteeno opened this issue · 3 comments
I have a general question around the use of this library. I see that it states it supports the MS Graph API as well as 3rd party APIs (assume those registered in AAD). Can this library be used to request a token that can be used to access the SharePoint/Project Online Rest APIs (non-MS Graph version)?
Well, my ultimate goal is to get some data from the Project Online API from Java. It is proving to be quite a complex process to get an authentication token and i was hoping that this SDK had it built it.
First Approach - SharePoint Add-On (app principal)
First step was to register a SharePoint Add-In and grant specific AddIn permissions to the add-in: https://docs.microsoft.com/en-us/sharepoint/dev/sp-add-ins/register-sharepoint-add-ins
Result
This add-in was able to access the SharePoint APIs (.sharepoint.com/_api/site/rootweb to get web and list data by way of the access token i received from ACS. However, when trying to get Project Online data via .sharepoint.com/pwssite/_api/ProjectData/Projects it fails with access denied.
Based on this failure, i have seen some articles online that state that a user context is required to access the Project Online apis; so i have since moved on to the next approach.
Second Approach - User Context
I started with the SharePoint CSOM in .NET an am using the SharePointOnlineCredential class to provide username and password. This works great when i try can pull the list of projects as well as access SharePoint lists. This process basically performs the following (thanks to fiddler) to get a SPOIDCRL cookie which in my understanding is what provides access to Sharepoint and Project Data.
- Call to login.microsoftonline.com/GetUserRealm.srf to figure out which kind of AAD domain we have, in my case it is federated to otka.
- The STSAuthUrl is then extracted from the response and is called. This is the "active" wsfed endpoint which accepts a user name and password within a soap message.
- Soap message is back from the STSAuthUrl call and is tehn submitted to login.microsoftonline.com/rst2.srf. this returns a binary security token within a soap response.
- Binary security token is then sent in authorization header as BPOSIDRCL t= to .sharepoint.com/_vti_bin/idcrl.svc. This call retunrs the SPOIDCRL cookie used for subsequent calls.
I am by no means and expert in this area but know enough to usually get things working in .NET. Java is a different story (i can barely spell java) and the examples I found don't work and i was hoping that this SDK supported the above flow based on some of the WSTrust* classes i see in here.
Also, I do have an incident open with MSFT Premier support, but i'm going on a week of getting no help.