none
After getting auth token for SharePoint online get HTTP 401 with it RRS feed

  • Question

  • Hello,

    I am developing native app: C++ with HTTP so please don't suggest .NET or JavaScript libraries :) The app should access SharePoint Online. I used to use X-Forms-Auth and "FedAuth" cookie but now need to migrate to OAuth.

    1) I have registered the app in azure portal (got secret, marked redirect URI, added read/write permissions for SharePoint)

    2) Then I perform OAuth flow by opening browser with

    https://login.microsoftonline.com/common/oauth2/authorize
     ?client_id=<CODE FROM AZURE PORTAL>
     &response_type=code
     &redirect_uri=https://login.microsoftonline.com/common/oauth2/nativeclient
     &resource=https://testorg.sharepoint.com/

    it redirects to my redirect URI and I parse out the code, as expected. Then I do

    POST https://login.microsoftonline.com/b51447fd-f997-4080-bf24-833070bc14bd/oauth2/token
    client_id=<CODE FROM AZURE PORTAL>
    &client_secret=<SECRET FROM AZURE PORTAL>
    &grant_type=authorization_code
    &redirect_uri=https://login.microsoftonline.com/common/oauth2/nativeclient
    &resource=https://testorg.sharepoint.com/
    &response_mode=form_post
    &code=<CODE FROM PREVIOUS STEP>

    this also returns the expected JSON from where I get "access_token".

    3) Later I call any SharePoint/WebDav API on https://testorg.sharepoint.com with the obtained token in auth header (Authorization:Bearer <TOKEN>) but get 401. However, all works fine when I follow X-Forms-Auth.

    Can anyone help me here please?
    • Edited by anrdii Tuesday, October 15, 2019 9:17 PM formatting
    Tuesday, October 15, 2019 9:15 PM

All replies

  • anrdii, Since Http Error 401 i.e Unauthorized, it looks like the scopes listed in the access token are something that SharePoint doesn't like and that make it throw the Http Error 401. All the permissions that you added under the App registration's API Permission section, should be available in the scopes section of the Access Token.

    You can decode the access token by pasting it on https://jwt.ms and check for the scopes that are listed in the token and if that matches with what you have mentioned in the API permissions.

    Hope this helps. In case even after checking this it doesn't help, feel free to let us know so that we can look into that deeper.

     

    ---------------------------------------------------------------------------------------------------------------------------------------

    Please take a moment to "Mark as Answer" and/or "Vote as Helpful" wherever applicable. Thanks!

    Wednesday, October 16, 2019 5:38 AM
    Moderator
  • Here are permissions from
    JWT:

    AllSites.Manage MyFiles.Read MyFiles.Write TermStore.Read.All TermStore.ReadWrite.All User.Read User.Read.All User.ReadWrite.All
    and API:

    • Edited by anrdii Sunday, October 20, 2019 2:44 PM error pasting image
    Sunday, October 20, 2019 2:43 PM
  • anrdii, I apologize for the delay in my response, as was tied up a bit with some other engagements.

    Can you please let us know which Sharepoint API you are trying to call here?

    Also, can you check the steps in the following article:

    https://www.sharepointpals.com/post/step-by-step-procedure-to-call-sharepoint-office-365-rest-api-from-microsoft-flow/

    Disclaimer: This response contains a reference to a third-party World Wide Web site. Microsoft is providing this information as a convenience to you. Microsoft does not control these sites and has not tested any software or information found on these sites; therefore, Microsoft cannot make any representations regarding the quality, safety, or suitability of any software or information found there. There are inherent dangers in the use of any software found on the Internet, and Microsoft cautions you to make sure that you completely understand the risk before retrieving any software from the Internet.

     

    Once we have the API details, we can check the requirements and permissions that are needed for that API.

    Wednesday, October 30, 2019 7:23 AM
    Moderator
  • My app calls many different API, the first one is WebDav PROPFIND on the root web folder. Another one I use and got the same error were SOAP UserGroup.asmx/GetCurrentUserInfo, Webs.asmx/WebUrlFromPageUrl.

    Let me ask in advance to not suggest to migrate to some other API - the current one does work when I authenticate using X-Forms Auth.

    Remark to the link provided: I don't have access to a client's SharePoint site, so registering any apps there is not an option.

    • Edited by anrdii Friday, November 8, 2019 11:12 PM typo
    Wednesday, November 6, 2019 10:07 PM