none
Sharepoint Online: Encrypted security token RRS feed

  • Question

  • Hi!

    I am are trying to do a remote connection to a SharePoint Online account from a Java application. For authentication, I'm trying to do the following steps:

    1.        Get security token
    2.        Get access tokens/cookies: FedAuth and rtFA
    3.        Getting request digest

    For step 1 (getting the security token), I sent a POST request to https://login.microsoftonline.com/extSTS.srf with the username and password in the request body.

    ========================================

    <s:Envelope xmlns:s="http://www.w3.org/2003/05/soap-envelope"
          xmlns:a="http://www.w3.org/2005/08/addressing"
          xmlns:u="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
      <s:Header>
        <a:Action s:mustUnderstand="1">http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue</a:Action>
        <a:ReplyTo>
          <a:Address>http://www.w3.org/2005/08/addressing/anonymous</a:Address>
        </a:ReplyTo>
        <a:To s:mustUnderstand="1">https://login.microsoftonline.com:443/extSTS.srf</a:To>
        <o:Security s:mustUnderstand="1"
           xmlns:o="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
          <o:UsernameToken>
            <o:Username>USERNAME</o:Username>
            <o:Password>PASSWORD</o:Password>
          </o:UsernameToken>
        </o:Security>
      </s:Header>
      <s:Body>
        <t:RequestSecurityToken xmlns:t="http://schemas.xmlsoap.org/ws/2005/02/trust">
          <wsp:AppliesTo xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy">
            <a:EndpointReference>
              <a:Address>SHAREPOINT_ONLINE_URL</a:Address>
            </a:EndpointReference>
          </wsp:AppliesTo>
          <t:KeyType>http://schemas.xmlsoap.org/ws/2005/05/identity/NoProofKey</t:KeyType>
          <t:RequestType>http://schemas.xmlsoap.org/ws/2005/02/trust/Issue</t:RequestType>
          <t:TokenType>urn:oasis:names:tc:SAML:2.0:assertion</t:TokenType>
        </t:RequestSecurityToken>
      </s:Body>
    </s:Envelope>

    ========================================

    Most of the documentation online expects the response will be in this format:

    <wst:RequestedSecurityToken>

        <wsse:BinarySecurityToken Id="Compact0">TOKEN_HERE</wsse:BinarySecurityToken>

    </wst:RequestedSecurityToken>

    However, the response I am getting is an encrypted security token.

    ========================================

    <wst:RequestedSecurityToken>
    <EncryptedData Id="Assertion0" Type="http://www.w3.org/2001/04/xmlenc#Element">
    <EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#tripledes-cbc" />
    <ds:KeyInfo>
    <EncryptedKey>
    <EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p" />
    <ds:KeyInfo>
    <ds:X509Data>
    <ds:X509SKI>SOME_TEXT_HERE</ds:X509SKI>
    </ds:X509Data>
    <ds:KeyName>SHAREPOINT_ONLINE_HOSTNAME</ds:KeyName>
     </ds:KeyInfo>
    <CipherData>
    <CipherValue>SOME_LONG_TEXT_HERE</CipherValue>
    </CipherData>
     </EncryptedKey>
    </ds:KeyInfo>
    <CipherData>
    <CipherValue>SOME_LONGER_TEXT_HERE</CipherValue>
    </CipherData>
     </EncryptedData>
    </wst:RequestedSecurityToken>

    ========================================

    

    Questions:

    1.        Is the process of authentication correct?
    2.        Do we need to decrypt the token before proceeding with step 2 (getting access tokens/cookies)?
      1.        If yes, what key should we use to decrypt the token?
      2.       If no, what would be the format of the request for step 2 (getting access tokens/cookies)?
    3.        Is there a way to get the unencrypted token (BinarySecuirtyToken string) instead?



    • Edited by BEspiritu Wednesday, November 9, 2016 5:54 PM
    Wednesday, November 9, 2016 5:51 PM

Answers

All replies