Skip to content

Instantly share code, notes, and snippets.

@nbelyh

nbelyh/calling-sharepoint-api-sso.md

Last active November 4, 2021 13:42
Show Gist options
  • Star 1 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save nbelyh/ec17a4e398069e35c2a2a5dc4447fb2a to your computer and use it in GitHub Desktop.
Save nbelyh/ec17a4e398069e35c2a2a5dc4447fb2a to your computer and use it in GitHub Desktop.
Download ZIP
Raw
calling-sharepoint-api-sso.md

0. Application registration permissions

Maybe there is still misunderstanding what is meant under "calling SharePoint rest api"? I need to access SharePoint REST API using endpoing like https://{tenant}/_api/..., not https://graph.microsoft.com/...

So I configured app registration (note that SharePoint is added both as "graph" and "non-graph")

Working scenario (calling SharePoint using GRAPH API)

1. get the token from teams

microsoftTeams.authentication.getAuthToken() => <teams_token>

2. trade for graph token (on-behalf-of flow)

Full example: https://github.com/wictorwilen/teams-sso-tab-demo

Related article: https://www.wictorwilen.se/blog/microsoft-teams-tabs-sso-and-microsoft-graph-the-on-behalf-of-blog-post/

POST https://login.microsoftonline.com/{tenant}/oauth2/v2.0/token

client_id: 6731de76-14a6-49ae-97bc-6eba6914391e
client_secret: JqQX2PNo9bpM0uEihUPzyrh..
grant_type: urn:ietf:params:oauth:grant-type:jwt-bearer
assertion: <**teams_token**>
requested_token_use: on_behalf_of,
scope: Sites.Read.All AllSites.Read

=> returns the <access_token>

3. use access token to access sharepoint (get root site) - WORKING

GET https://graph.microsoft.com/v1.0/sites/root

headers: 
  authorization: "bearer " + <access_token>

=> success

Now, not working scenario 1 (calling SharePoint API)

3.a Try to use the token received at the step (2) to access SharePoint REST API

GET https://{tenant}/_api/web

headers: 
  authorization: "bearer " + <access_token>

=> error, invalid token token issuer or signature

Not working scenario 2 (calling SharePoint API)

2.a. try to refresh the token received from teams (try refresh flow instead of on_behalf_flow), as adviced

POST https://login.microsoftonline.com/{tenant}/oauth2/v2.0/token

client_id: 6731de76-14a6-49ae-97bc-6eba6914391e
scope: AllSites.Read Sites.Read.All
refresh_token: <**teams_token**>...
grant_type: refresh_token
client_secret: JqQX2PNo9bpM0uEihUPzyrh

error: invalid_grant

Not working scenario 3 (calling SharePoint API)

3.a. try to refresh <access_token> from flow (1) instead of teams token

POST https://login.microsoftonline.com/{tenant}/oauth2/v2.0/token

client_id: 6731de76-14a6-49ae-97bc-6eba6914391e
scope: AllSites.Read Sites.Read.All
refresh_token: <**access_token**>...
grant_type: refresh_token
client_secret: JqQX2PNo9bpM0uEihUPzyrh

=> error: invalid_grant

Maybe it is a scopes issue? Which scopes should I specify to be able to access https://{tenant}/_web ??? Or it is simply not working and not possible?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment