Calling Sharepoint APIs with Sites.ReadWrite.All - which token to use?

Question

Calling Sharepoint APIs with Sites.ReadWrite.All - which token to use?

OM 0

When calling a Sharepoint REST API, which token do I need to pass and in which header?

Currently I am doing:

const result = await fetch(`${sharepointUrl}/_api/search/query?querytext='${searchtext}'`, {
      headers: {
        Bearer: token,
        Accept: 'application/json;odata=verbose',
        'odata-version': '',
      },
    })

Where token is the value that was returned by the OAuth login. I am using NextAuth with the azure-ad provider (https://next-auth.js.org/providers/azure-ad). Which works fine and the users can login without any problem using their Azure AD/Entra ID account. This gives me these fields - screenshot below. I am using next_auth_account.access_token as the bearer token. I have also tried next_auth_session.sessionToken

However I am getting 403 Forbidden as the result. So, am I using the wrong header field name? The wrong field to get the token from? The wrong something else? I am logging in as myself to test, and I do have access to the Sharepoint that I am searching.

Screenshot 2024-08-04 at 11.34.33 AM

And I have setup the Sites.ReadWrite.All permission in Azure:
Screenshot 2024-08-03 at 11.10.40 AM

The response from Sharepoint is:

Response {
    [Symbol(realm)]: null,
    [Symbol(state)]: {
      aborted: false,
      rangeRequested: false,
      timingAllowPassed: true,
      requestIncludesCredentials: true,
      type: 'default',
      status: 403,
      timingInfo: [Object],
      cacheState: '',
      statusText: 'Forbidden',
      headersList: [HeadersList],
      urlList: [Array],
      body: [Object]
    },
    [Symbol(headers)]: HeadersList {
      cookies: null,
      [Symbol(headers map)]: [Map],
      [Symbol(headers map sorted)]: null
    }
  }

4 answers

Your answer

Answer 1

Deleted

This answer has been deleted due to a violation of our Code of Conduct. The answer was manually reported or identified through automated detection before action was taken. Please refer to our Code of Conduct for more information.

1 deleted comment

Comments have been turned off. Learn more

Answer 2

Ling Zhou_MSFT 23,620 Microsoft External Staff

Hi @OM,

You can use this article to get the access token of your REST API.

Get access without a user

Note that in the second section of this article, when configuring permissions, select SharePoint instead of Graph APIs. Select SharePoint to set permissions for the Rest API. The other steps are the same.

User's image

After you successfully apply for an access token, it should be placed in the Authorization header when you use REST API.

If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".

Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

OM 0 Reputation points

2024-08-06T02:20:24.5266667+00:00
Sorry can you please clarify? You didn't answer a couple of key questions with a yes or a no, so I am unsure what your answer is.

I asked: is the "access_token" field returned from login the correct value or not to pass to Sharepoint API? If not, which field is the one to use?

I asked: is "Bearer" the correct header name or not? You didn't say yes or no, but you did say "Authorization header", does that mean I need to change header name from Bearer to Authorization? (I tried this but it hasn't helped)

And I do have access tokens turned on in application registration:

And I do have the Sharepoint permissions granted by an admin:

Thanks

Answer 3

Ling Zhou_MSFT 23,620 Microsoft External Staff

Hi @OM,

I'm sorry I didn't understand your question properly.

For your question:

Yes, the access token returned by your login is correct and you need to use it when using the SharePoint API.
You can also use the "Bearer" header, which fills in the access token just like "Authorization" hear.

If you continue to encounter 403 issues, I recommend that you first parse your request token into this widget and check that the permissions recorded in your SCP section match the permissions you should be granted.

Note: Microsoft is providing this information as a convenience to you. The sites are not controlled by Microsoft. Microsoft cannot make any representations regarding the quality, safety, or suitability of any software or information found there. Please make sure that you completely understand the risk before retrieving any suggestions from the above link.

You can also share the result of this analysis with me, which will help me solve your problem better.

Thank you for your time and efforts in advance.

If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".

Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

OM 0 Reputation points

2024-08-07T05:18:15.14+00:00
Thanks that token decoder was very interesting. Yes the scp does contain the permission:

"scp": "AllSites.Read AllSites.Write email Files.ReadWrite.All MyFiles.Read MyFiles.Write openid profile Sites.Manage.All Sites.ReadWrite.All Sites.Search.All User.Read"

I added many other permissions in the hope that one of them would help. It still returns 403 unfortunately.

When I change the header from "Bearer: <token>" to "Authorization: Bearer <token>" the response changes to 401.

My app does have the permissions in scope now:

params: { scope: 'openid email profile Sites.ReadWrite.All', prompt: 'consent', },

That also hasn't helped, the response is still a 403.

I now also have the "Sites.Search.All" permission added, and it is correctly included the SCP.

The response is still 403 and the response body is:

{"error":{"code":"-2147024891, System.UnauthorizedAccessException","message":{"lang":"en-US","value":"Attempted to perform an unauthorized operation."}}}

I have granted admin consent for all of these permissions inside Azure app registration.

Is there something I also need to do inside of Sharepoint itself perhaps?
OM 0 Reputation points

2024-08-07T23:14:56.85+00:00
I was able to add the Sharepoint permission "Sites.Search.All" as well (it has to be prefixed with SP's GUID:

params: { scope: 'openid email profile Sites.ReadWrite.All 00000003-0000-0ff1-ce00-000000000000/Sites.Search.All', prompt: 'consent', },

And the decoded access_token does show the correct SCP:

"scp": '... Sites.Search.All ...'

But it is still returning 403. I have managed to ready the response text as well:

{"error":{"code":"-2147024891, System.UnauthorizedAccessException","message":{"lang":"en-US","value":"Attempted to perform an unauthorized operation."}}}

Is there some setting inside of Sharepoint that I need to do as well? So far everything I have done is inside of Azures app registration and the app itself. I have not made any changes in SP yet.

Or is there some other permission that I need to grant?

Answer 4

Hi @OM,

Sorry for getting back to you late, as I took a moment to find the answer.

I asked my colleague who specializes in the Microsoft Graph API and the problem came up with us confusing the SharePoint Rest API with the Microsoft Graph API!

That's why you have permission but still get a 403 error.

This article details how we can get the access token for the SharePoint Rest API via Postman, and you can try to get the access token again and see if the problem persists.

Access SharePoint Online data using postman tool

Note: Microsoft is providing this information as a convenience to you. The sites are not controlled by Microsoft. Microsoft cannot make any representations regarding the quality, safety, or suitability of any software or information found there. Please make sure that you completely understand the risk before retrieving any suggestions from the above link.

If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".

Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

OM 0 Reputation points

2024-08-13T04:07:10.5366667+00:00

Ah I see. Perhaps the real answer is to use the Microsoft.Graph API instead? I will do some reading and try it out.
Ling Zhou_MSFT 23,620 Reputation points Microsoft External Staff

2024-08-20T06:15:56.85+00:00

Hi @OM,

We have not received a response from you. Anything else I can help, feel free to let me know. We would appreciate it if you would like to share a recent update on your problem. We will help you solve the problem together.

If the answer is helpful, please click "Accept Answer" and kindly upvote it.

Share via

Calling Sharepoint APIs with Sites.ReadWrite.All - which token to use?

4 answers

Your answer