locked
After getting auth token for SharePoint online get HTTP 401 with it RRS feed

  • Question

  • Hello,

    I am developing native app: C++ with HTTP so please don't suggest .NET or JavaScript libraries :) The app should access SharePoint Online. I used to use X-Forms-Auth and "FedAuth" cookie but now need to migrate to OAuth.

    1) I have registered the app in azure portal (got secret, marked redirect URI, added read/write permissions for SharePoint)

    2) Then I perform OAuth flow by opening browser with

    https://login.microsoftonline.com/common/oauth2/authorize
     ?client_id=<CODE FROM AZURE PORTAL>
     &response_type=code
     &redirect_uri=https://login.microsoftonline.com/common/oauth2/nativeclient
     &resource=https://testorg.sharepoint.com/

    it redirects to my redirect URI and I parse out the code, as expected. Then I do

    POST https://login.microsoftonline.com/b51447fd-f997-4080-bf24-833070bc14bd/oauth2/token
    client_id=<CODE FROM AZURE PORTAL>
    &client_secret=<SECRET FROM AZURE PORTAL>
    &grant_type=authorization_code
    &redirect_uri=https://login.microsoftonline.com/common/oauth2/nativeclient
    &resource=https://testorg.sharepoint.com/
    &response_mode=form_post
    &code=<CODE FROM PREVIOUS STEP>

    this also returns the expected JSON from where I get "access_token".

    3) Later I call any SharePoint/WebDav API on https://testorg.sharepoint.com with the obtained token in auth header (Authorization:Bearer <TOKEN>) but get 401. However, all works fine when I follow X-Forms-Auth.

    Can anyone help me here please?
    • Edited by anrdii Tuesday, October 15, 2019 9:17 PM formatting
    Tuesday, October 15, 2019 9:15 PM

All replies

  • anrdii, Since Http Error 401 i.e Unauthorized, it looks like the scopes listed in the access token are something that SharePoint doesn't like and that make it throw the Http Error 401. All the permissions that you added under the App registration's API Permission section, should be available in the scopes section of the Access Token.

    You can decode the access token by pasting it on https://jwt.ms and check for the scopes that are listed in the token and if that matches with what you have mentioned in the API permissions.

    Hope this helps. In case even after checking this it doesn't help, feel free to let us know so that we can look into that deeper.

     

    ---------------------------------------------------------------------------------------------------------------------------------------

    Please take a moment to "Mark as Answer" and/or "Vote as Helpful" wherever applicable. Thanks!

    Wednesday, October 16, 2019 5:38 AM
  • Here are permissions from
    JWT:

    AllSites.Manage MyFiles.Read MyFiles.Write TermStore.Read.All TermStore.ReadWrite.All User.Read User.Read.All User.ReadWrite.All
    and API:

    • Edited by anrdii Sunday, October 20, 2019 2:44 PM error pasting image
    Sunday, October 20, 2019 2:43 PM
  • anrdii, I apologize for the delay in my response, as was tied up a bit with some other engagements.

    Can you please let us know which Sharepoint API you are trying to call here?

    Also, can you check the steps in the following article:

    https://www.sharepointpals.com/post/step-by-step-procedure-to-call-sharepoint-office-365-rest-api-from-microsoft-flow/

    Disclaimer: This response contains a reference to a third-party World Wide Web site. Microsoft is providing this information as a convenience to you. Microsoft does not control these sites and has not tested any software or information found on these sites; therefore, Microsoft cannot make any representations regarding the quality, safety, or suitability of any software or information found there. There are inherent dangers in the use of any software found on the Internet, and Microsoft cautions you to make sure that you completely understand the risk before retrieving any software from the Internet.

     

    Once we have the API details, we can check the requirements and permissions that are needed for that API.

    Wednesday, October 30, 2019 7:23 AM
  • My app calls many different API, the first one is WebDav PROPFIND on the root web folder. Another one I use and got the same error were SOAP UserGroup.asmx/GetCurrentUserInfo, Webs.asmx/WebUrlFromPageUrl.

    Let me ask in advance to not suggest to migrate to some other API - the current one does work when I authenticate using X-Forms Auth.

    Remark to the link provided: I don't have access to a client's SharePoint site, so registering any apps there is not an option.

    • Edited by anrdii Friday, November 8, 2019 11:12 PM typo
    Wednesday, November 6, 2019 10:07 PM
  • anyone?
    Monday, November 18, 2019 7:37 PM
  • anrdii, I apologize for the delay. I am working on this in the backend. I will try to share a response by today.
    Tuesday, November 19, 2019 4:15 AM
  • Hello anrdii

    I had some internal discussions and based on that what we found is, since you are using WebDav APi calls, for WebDav to work, it needs persistent cookies. But in your case since you are using Client credentials flow, there is not way that you can get a persistent cookie issued.

    Hence this call wont work here.

    You can refer to this article: https://blogs.technet.microsoft.com/sposupport/tag/persistent-cookie/

    Hope this helps. Do let me know if more queries around this so that I can try to find answers to those.

    ---------------------------------------------------------------------------------------------------------------------------------------

    Please take a moment to "Mark as Answer" and/or "Vote as Helpful" wherever applicable. Thanks!


    Tuesday, November 19, 2019 2:34 PM
  • Thank you for the answer.

    But what about SOAP UserGroup.asmx/GetCurrentUserInfo, Webs.asmx/WebUrlFromPageUrl ?

    Also if the cookies was a problem would X-Forms auth work (it does)?

    I can try REST but sure it will fail the same.
    • Edited by anrdii Wednesday, November 20, 2019 8:13 PM
    Wednesday, November 20, 2019 8:10 PM
  • anrdii, I am still working on this, will get back to you soon.
    Wednesday, November 27, 2019 4:47 PM
  • Since it takes so much time, should we move to Microsoft Q&A?

    • Edited by anrdii Sunday, December 8, 2019 8:34 AM
    Sunday, December 8, 2019 8:33 AM
  • @andrii,

    yeah it would be great if you can get a thread in Q&A. But most importantly this question needs to go to the Sharepoint Team. 

    I am struggling there to connect with someone from the Sharepoint team to get an answer on this. In case you are creating a new thread in Q&A, make sure you create it under the SharePoint Online as the product.

    Tuesday, December 10, 2019 4:54 AM