SharePoint Online OAuth with Azure AD Users
https://sharepoint.stackexchange.com/questions/279333
-
08-02-2021 - |
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
RussianQuestion
I used this SharePoint OAuth Article from Microsoft to get the authorization code grant flow working with a SharePoint site. The idea is to get the access token dynamically from an external app (and not from within an Add-in installed within SharePoint) - something which the article also declares as being possible to achieve.
In some scenarios, an add-in can request permission to access SharePoint resources on the fly; that is, an add-in can request permission to access SharePoint resources dynamically at runtime, instead of at add-in installation time. This type of add-in doesn't have to be launched from, or even installed on, SharePoint. For example, it could be a native device add-in, an add-in that is launched from any website, or an Office Add-in launched from an Office application that wants to access resources on SharePoint on the fly.
The token will then be used a bearer to create a ClientContext and consume the Sharepoint CSOM Library (Client Object Model).
The Authorization code grant flow requires a Client ID, Client Secret and Redirect URI - this Register SharePoint Add-ins link contains information on how to register an Add-In and supposedly get these settings. Initially, I had missed this link and assumed SharePoint would work similar to most other services, i.e. requiring an App Registration within the Azure Active Directory (of course within the same organisation as SharePoint Online). So I created an App Registration in Azure AD, and lo and behold, when running the solution from Visual studio, thereby having a URL that looks like this - https://localhost:44307/SPHandler, I got the access token and the ClientContext also worked as expected with the rest of the CSOM methods.
Yet when I hosted the solution and gave it a DNS name - https://domain.com/SPHandler, the process gets as far as allowing you to insert your Azure AD credentials but then redirects into this error.
Note - both https://localhost:44307/SPHandler and https://domain.com/SPHandler were added as Web Redirect URLs within the Azure AD app registration.
Then I did some more digging and found the "Register SharePoint Add-ins" link. It seems that the Azure AD App Registration is never actually mentioned in the documentation. I followed the instructions and created the registration within the "AppRegNew.aspx" page. This gave me a ClientID and ClientSecret, I could register 1 domain and 1 redirect URI, as well as set the XML permissions for the app.
However, in this case, the authorization code is not received and instead this error is popping up within the response from the server-side.
https://localhost:44307/SPHandler?error=server_error&error_description=The remote server returned an error: (500) Internal Server Error.&state=4W9HXEH1KRZA&IsDlg=1}
- The ultimate question - what is the proper way to register an App for SharePoint OAuth with Azure AD Users?
- Why did I actually get further when "mistakenly" trying to use an Azure AD App Registration (at least it worked in localhost!) than when trying with an app registered in "AppRegNew.aspx" ?
- And finally - is there any place within SharePoint Online where I can see more information regarding the internal server error?
Solution
So I did get to the bottom of this eventually. Normally an App Registration in Azure AD can have multiple redirect URLs. You just add a list of accepted URLs and all would work.
In this case, when a new Azure AD App Registration is used to retrieve an Access Token for SharePoint CSOM access, that App is automatically registered as an Add-in within SharePoint Online on the first time use.
After making use of the Azure AD App and retrieving the token first-time round, you can look up the Azure AD App Registration Client ID within this page (the Add-in is registered with the same Azure AD App Registration Client ID in SPO!)
And you can also see that only a single domain and a single redirect URL are registered with that Client ID!
This means that if you need X redirect URLs (for e.g. 1 for testing and 1 for live as demonstrated in my example above) you would need to create X App Registrations in Azure AD. And each Azure AD App Client ID / Redirect URL combination will be registered as an Add-in in within SharePoint Online. (1 Add-in = 1 Client ID = 1 Domain = 1 Redirect URL)
Note - It doesn't seem that one can modify the Redirect URL once the Add-in is registered.
OTHER TIPS
it's recommended to register app on Azure AD, ACS is going to retired(of course you can continue using it).
Below is a blog shows how to How to access SharePoint Rest API using OAuth
If you're using c#, we suggest you consider following library:
