Accessing Search API from authenticated app

Question

Using SharePoint Online, I discovered that it's possible to perform server-wide searches using the SharePoint Search API.

This works brilliantly in my browser, if I am logged in with my account, when I access: https://mycompanytenant.sharepoint.com/_api/search/query?querytext=%27abc%27

I can see all the results there.

I am trying to use this functionality in a user-consented app. After performing the OAuth2 authorization flow and grabbing a token, performing the same request results in the following:

statusCode: 401,
message: '401 - "{\\"error_description\\":\\"Invalid issuer or 
signature.\\"}"',

This is the code used for the request:

const requestOptions = {
    url: `https://${tenant}/_api/search/query?querytext='${query}'`,
    headers: {
        'Authorization': 'Bearer ' + this.accountInfo.accessToken
    },
    method: 'GET'
}

return requestPromise(requestOptions) // node module that handles requests as promises
  .catch(error => {
      console.log('SP Error: ', error);
      return bluebird.reject(error);
  });

My problem is that, while the access token is fully functional for use in the Graph API (the only other API that my app consumes), it is not being authorized for the search API. I assume this must be an issue with the scopes. So, I have tried configuring all logical scopes for my app (and requesting permission in the app during authentication), and I have even granted admin consent for my app, to be sure. Here are the currently configured resources:

In spite of this, the same error persists. What am I missing?

According to the documentation, this should be possible.

Answer 1

Accessing SharePoint data from a Non-SharePoint application is different from how you do it using graph API. As you are using SharePoint online and Node JS, there is one module 'node-sp-auth' which will help you to do authentication and get context and then call REST APIs.

With SharePoint online, you would have either use Add In Permission or SAML based user credentials.

For Add In permission you have to generate client Id and secret and grant required permission to tenant or SharePoint site(as per your requirement scope). You can refer to this article to know details on this approach

After you have client id and secret with required permission. methods available in node-sp-auth module

import * as spauth from 'node-sp-auth';
import * as request from 'request-promise';

var credentialOptions = {clientId:"",clientSecret:""};

    //get auth options
    spauth.getAuth(url, credentialOptions)
      .then(options => {

        //perform request with any http-enabled library (request-promise in a sample below):
        let headers = options.headers;
        headers['Accept'] = 'application/json;odata=verbose';

        request.get({
          url: "https://${tenant}/_api/search/query?querytext='${query}'",
          headers: headers
        }).then(response => {
          //process data
        });
      });

For SAML based token, you have to pass username and password of user to credentialOptions

Hope this gives you direction.... feel free to comment for any further queries.

Answer 2

You'll need an app-principal to access SharePoint from outside SharePoint. See the Authorization Code OAuth flow for SharePoint Add-ins documentation.