Maybe there is still misunderstanding what is meant under "calling SharePoint rest api"?
I need to access SharePoint REST API using endpoing like https://{tenant}/_api/...
, not https://graph.microsoft.com/...
So I configured app registration (note that SharePoint is added both as "graph" and "non-graph")
microsoftTeams.authentication.getAuthToken() => <teams_token>
Full example: https://github.com/wictorwilen/teams-sso-tab-demo
Related article: https://www.wictorwilen.se/blog/microsoft-teams-tabs-sso-and-microsoft-graph-the-on-behalf-of-blog-post/
POST https://login.microsoftonline.com/{tenant}/oauth2/v2.0/token
client_id: 6731de76-14a6-49ae-97bc-6eba6914391e
client_secret: JqQX2PNo9bpM0uEihUPzyrh..
grant_type: urn:ietf:params:oauth:grant-type:jwt-bearer
assertion: <**teams_token**>
requested_token_use: on_behalf_of,
scope: Sites.Read.All AllSites.Read
=> returns the <access_token>
GET https://graph.microsoft.com/v1.0/sites/root
headers:
authorization: "bearer " + <access_token>
=> success
GET https://{tenant}/_api/web
headers:
authorization: "bearer " + <access_token>
=> error, invalid token token issuer or signature
2.a. try to refresh the token received from teams (try refresh flow instead of on_behalf_flow), as adviced
POST https://login.microsoftonline.com/{tenant}/oauth2/v2.0/token
client_id: 6731de76-14a6-49ae-97bc-6eba6914391e
scope: AllSites.Read Sites.Read.All
refresh_token: <**teams_token**>...
grant_type: refresh_token
client_secret: JqQX2PNo9bpM0uEihUPzyrh
error: invalid_grant
POST https://login.microsoftonline.com/{tenant}/oauth2/v2.0/token
client_id: 6731de76-14a6-49ae-97bc-6eba6914391e
scope: AllSites.Read Sites.Read.All
refresh_token: <**access_token**>...
grant_type: refresh_token
client_secret: JqQX2PNo9bpM0uEihUPzyrh
=> error: invalid_grant
Maybe it is a scopes issue?
Which scopes should I specify to be able to access https://{tenant}/_web
???
Or it is simply not working and not possible?