Tuesday, March 13, 2018

Procedure and tips to generate OAuth access token to access SharePoint Online all site collections?


In order for external applications like Java application to integrate with SharePoint online (SPO) sites through REST web services, Microsoft provided a way that is OAuth for the authentication. In our case, we have an external application Infomatica needs to integrate with all SPO site collections. Here is the procedure to generate the token that could be used for all SPO sites.


1. Create an app from any SharePoint online site through URL like this
https://<tenant>.sharepoint.com/sites/dev/_layouts/15/appregnew.aspx.

Please note you can enter "localhost" as "App Domain" for SPO app.


After you create the app, you will have the client Id, client Secret as in the below screenshot.

 2. Register the app through SharePoint admin site in order to have the token to access all SPO sites. The URL is like this https://<tenant>-admin.sharepoint.com/_layouts/15/appinv.aspx. This is same step as described by Andrew Koltyakov.


After enter the client Id from the step #1, then enter the permission for the app. In this case, we grant read access to all site connection. The xml file would look like this.

<AppPermissionRequests AllowAppOnlyPolicy="true">
<AppPermissionRequest Scope="http://sharepoint/content/tenant" Right="Read" /></AppPermissionRequests>

For complete the list of the SPO permission scope, please refer this article for details. There are more discussions on the permission scope. Then you should trust the app.


If you only want to grant access to one site collection, you could register the app though that site like  https://<tenant>.sharepoint.com/sites/<sitename>/_layouts/15/appinv.aspx. The xml permisison configuration can look like below.

<AppPermissionRequests AllowAppOnlyPolicy="true">
<AppPermissionRequest Scope="http://sharepoint/content/sitecollection" Right="FullControl" /></AppPermissionRequests>

3. Generate tenant Id (realm) and SharePoint resource identifier.

There are many different ways you can get realm or tenant Id as I described in early blog. The easiest one is to check any app permission on the site as in the below screenshot. Please note SharePoint resource identifier is a constant highlighted as red. The tenant Id is highlighted as in blue.



4. Get the Authorization code from Azure Access Control Service by using this URL https://your_site.sharepoint.com/_layouts/15/OAuthAuthorize.aspx?client_id=client_GUID&scope=app_permissions_list&response_type=code&redirect_uri=redirect_uri.

In our case, this is the URL:
https://<tenant>.sharepoint.com/sites/dev/_layouts/15/OAuthAuthorize.aspx?client_id=b717f6a7-bf52-4c02-b970-b343b018bb82&scope=AllSites.Read &response_type=code&redirect_uri=https://localhost/.

Then trust the app. You will see the code in the return URL.


The code looks like this and the code is in red.

https://localhost/?code=IAAAAPRPsBXcivxK_YNIHE5SWMl0MQN3gfDfL2Ov9k4JP3Qhd5ietOyBXiDpIOSxDRsPQL_ucAX9YukJZGamU3Oxqo2e0opSMO0g9DkMzo9HZ7EImIOuxEWztU7mkEIMjvKjZZX-BIRjv6hx4CWYNFFpRHDNvVVCfzKAte_tRM8Dmwh7f0BsEw7RkgNR9QT1RuacmC4Z84HmrgLLymP8fPlue8cxz50vVIq_TdeIQ0YXAJlNVK0_Kd3Kn0L55edzqlyStJPBKDEtGLy-8gwcY8x6JQ1Ozva2noohZYuWio6NDCS-9Y4E5ROMiwz-CaCUQUx6ou5AaaNwMj6_36-QSGNDbCsjhql0Mvcka1iNRO8H8grP

Please the code is only valid for FIVE minutes, you need to generate the access token in five minutes. Otherwise, you need to generate another code.

5. Generate SPO access token.
Open Postman and construct the following request.

Request Type: POST
URL:    https://accounts.accesscontrol.windows.net/<Realm or Tenant Id>/tokens/OAuth/2
Header: 
             Key:     Content-Type
             Value:  application/x-www-form-urlencoded
Body: Select "x-www-form-urlencoded" and key value as below.


The postman screenshot is as below.


The access token and refresh token are in the response body as in the screenshot.

6. Use SPO access token to access any SPO site. I'm using postman to query site tile as example.

The POST REST URL is like https://<tenant>.sharepoint.com/sites/dev1/_api/web?$select=Title

The headers are as below:

Key                    Value
Accept                application/json;odata=verbose
Authorization     Bearer  <accessToken>

The result from postman is as below.


7. Generate SPO refresh token. Please note the access token is valid for only one hour.  The refresh token is valid for six months. You can use the refresh token to generate the new access token.

This step is almost identical to step #5 with different header values as below.


The refresh token is display in response body similar to Vikas Kottari described in his article.

Now you have the refresh token valid for six months to generate the access token to access all SPO sites.

There are few things you need to remember.

1. Please remember the app client ID. After you have the access/refresh token, you can delete the app permission for the app. Then there is no UI to manage the app. The only way to see the app is to query the client Id through the URL like below. The URL could be admin or SPO site.

https://<tenant>-admin.sharepoint.com/_layouts/15/appinv.aspx.

2. If you want to have a one time access token, the procedure provided by SHANTHA KUMAR is little simpler. However, it will not have refresh token and you need to generate code to generate access token after it expired.

3. There are some other ways we could generate the access token through Graph. We will discuss in details in future blob.




2 comments:

  1. This is the proper weblog for everyone who wishes to find out about this topic. You already know a lot its virtually difficult to argue with you (not that I just would want…HaHa). You certainly put a fresh spin with a topic thats been discussing for many years. Excellent stuff, just fantastic! mega888 agent login

    ReplyDelete