OAuth authentication for SPFx solutions

Question

OAuth authentication for SPFx solutions

Henning Eiben 1

I am challenged by a SPFx based solution (WebPart as well as Commandbar-Extension). I have a set of APIs which are secured by OAuth. There is a dedicated authentication server, so I can't just use AAD to grab a token, but instead I have to access this authentication server.

So my challenge is: how can I provide a solution for an unknown amount of customers running not known SharePoint-tenants, while using OAuth? Since SPFx is a single-page-application-style solution I will have to provide a return-uri to the authentication server. And this return-uri has to be known by the authentication-server to be validated. But since I don't know who's going to use the application - I would need to allow all return-uris to *.sharepoint.com?

So my question is: there must be someone out there, who had the same problem. How would be a way to solve this challenge?

2 answers

Your answer

Answer 1

RaytheonXie_MSFT 40,481 Microsoft External Staff

Hi @Henning Eiben
I will recommend you to connect to Azure AD-secured APIs in SharePoint Framework solutions. SharePoint Framework allows you to specify which Azure AD applications and permissions your solution requires, and a global or SharePoint administrator can grant the necessary permissions if they haven't yet been granted. By using the AadHttpClient, you can easily connect to APIs secured by using Azure AD without having to implement the OAuth flow yourself.

Please refer to the following document for more details
https://learn.microsoft.com/en-us/sharepoint/dev/spfx/use-aadhttpclient

If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

Henning Eiben 1 Reputation point

2022-12-07T07:43:12.167+00:00

@RaytheonXie_MSFT : thx for the answer.

OK, so I'll create an app-registration to secure my API via AAD. In the app-registration I would need to provide the return-uri to my SharePoint tenant - right? So I would specify https://customer.sharepoint.com as well as https://foo.sharepoint.com and https://bar.sharepoint.com. But later I would need to add https://acme.sharepoint.com. So basically I would need to add every customer, that is using my SPFx-Solution to the list of valid return-uris since I can't use wildcards like https://*.sharepoint.com.
RaytheonXie_MSFT 40,481 Reputation points Microsoft External Staff

2022-12-12T02:25:50.087+00:00

Hi @Henning Eiben
Yes you will need to provide the return-uri to my SharePoint tenant
Henning Eiben 1 Reputation point

2022-12-12T08:01:29.323+00:00

@RaytheonXie_MSFT : I'm aware of this - actually that was my original question. How do I handle the configuration of the return-uri? I have to configure this in the authentication-server, but what if I don't know all the tenant my app will be installed to?

Answer 2

Hi @Henning Eiben
I will recommend you to connect to Azure AD-secured APIs in SharePoint Framework solutions. SharePoint Framework allows you to specify which Azure AD applications and permissions your solution requires, and a global or SharePoint administrator can grant the necessary permissions if they haven't yet been granted. By using the AadHttpClient, you can easily connect to APIs secured by using Azure AD without having to implement the OAuth flow yourself.

Please refer to the following document for more details
https://learn.microsoft.com/en-us/sharepoint/dev/spfx/use-aadhttpclient

If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

Share via

OAuth authentication for SPFx solutions

2 answers

Your answer