In order for external applications like Java application to integrate with SharePoint online (SPO) sites through REST web services, Microsoft provided a way that is OAuth for the authentication. In our case, we have an external application Infomatica needs to integrate with all SPO site collections. Here is the procedure to generate the token that could be used for all SPO sites.
1. Create an app from any SharePoint online site through URL like this
Please note you can enter "localhost" as "App Domain" for SPO app.
After enter the client Id from the step #1, then enter the permission for the app. In this case, we grant read access to all site connection. The xml file would look like this.
<AppPermissionRequest Scope="http://sharepoint/content/tenant" Right="Read" /></AppPermissionRequests>
For complete the list of the SPO permission scope, please refer this article for details. There are more discussions on the permission scope. Then you should trust the app.
If you only want to grant access to one site collection, you could register the app though that site like https://<tenant>.sharepoint.com/sites/<sitename>/_layouts/15/appinv.aspx. The xml permisison configuration can look like below.
<AppPermissionRequest Scope="http://sharepoint/content/sitecollection" Right="FullControl" /></AppPermissionRequests>
3. Generate tenant Id (realm) and SharePoint resource identifier.
There are many different ways you can get realm or tenant Id as I described in early blog. The easiest one is to check any app permission on the site as in the below screenshot. Please note SharePoint resource identifier is a constant highlighted as red. The tenant Id is highlighted as in blue.
4. Get the Authorization code from Azure Access Control Service by using this URL https://your_site.sharepoint.com/_layouts/15/OAuthAuthorize.aspx?client_id=client_GUID&scope=app_permissions_list&response_type=code&redirect_uri=redirect_uri.
In our case, this is the URL:
Then trust the app. You will see the code in the return URL.
Please the code is only valid for FIVE minutes, you need to generate the access token in five minutes. Otherwise, you need to generate another code.
5. Generate SPO access token.
Open Postman and construct the following request.
Request Type: POST
URL: https://accounts.accesscontrol.windows.net/<Realm or Tenant Id>/tokens/OAuth/2
Body: Select "x-www-form-urlencoded" and key value as below.
The postman screenshot is as below.
The access token and refresh token are in the response body as in the screenshot.
6. Use SPO access token to access any SPO site. I'm using postman to query site tile as example.
The POST REST URL is like https://<tenant>.sharepoint.com/sites/dev1/_api/web?$select=Title
The headers are as below:
Authorization Bearer <accessToken>
The result from postman is as below.
7. Generate SPO refresh token. Please note the access token is valid for only one hour. The refresh token is valid for six months. You can use the refresh token to generate the new access token.
This step is almost identical to step #5 with different header values as below.
The refresh token is display in response body similar to Vikas Kottari described in his article.
Now you have the refresh token valid for six months to generate the access token to access all SPO sites.
There are few things you need to remember.
1. Please remember the app client ID. After you have the access/refresh token, you can delete the app permission for the app. Then there is no UI to manage the app. The only way to see the app is to query the client Id through the URL like below. The URL could be admin or SPO site.
2. If you want to have a one time access token, the procedure provided by SHANTHA KUMAR is little simpler. However, it will not have refresh token and you need to generate code to generate access token after it expired.
3. There are some other ways we could generate the access token through Graph. We will discuss in details in future blob.