Share via

Sharepoint API with delegation and OAUTH access token

David S 20 Reputation points
2024-11-21T10:39:30.82+00:00

Hi,

I've created a program that allows me to push data to SharePoint, and it works well. The SharePoint API is created with Graph API, delegation, and using I'm using OAUTH - my program obtains a new token every 50 minutes (with some fall-back measures in place)

My company IT have quite rightly rejected this as the API had Sites.Fullcontrol.All permissions, and this would give me access to everything.

I read that delegated Sites.Selection is now supported. So I went down the route of setting this up. However when I analyse the JSON of the access token, there are no scp or roles inside it, and indeed my program debug replies: "AccessDenied","message":"Either scp or roles claim need to be present in the token."

I'm no expert on this, this is my first foray into creating such an API.

My program itself will run an a dedicated PC, connected to my company network with a service account (not my own). It parses data from the serial port and pushes it to a SQL db and to a Sharepoint list. The SharePoint list allows me to easily manage sending out emails when certain fields are populated on the list, and to also use this list as a datasource for a power app. I'm also far from an expert regarding how a company IT infastructure works. What are my options here. Currently delegated Sites.Selected does not work with the way I retrieve an access token. I will speak with my IT (in another country) about this, but grealty need some thoughts on this from anyone in the know.

Really looking forward to some feedback on this

Thank you for your time and cosideration...

Dave

Microsoft 365 and Office SharePoint Development
Accepted answer
  1. Ling Zhou_MSFT 23,620 Reputation points Microsoft External Staff
    2024-11-22T05:13:06.5733333+00:00

    Hi @David S,

    Thank you for posting in this community.

    According to your error "Either scp or roles claim need to be present in the token.", this means that the token you generated doesn't have scp or role claim, these two parts that are used to indicate the permissions you have been given. That is what it usually looks like:

    3

    The scp part of the token after the JWT resolution.

    First, we suspect that there is something wrong with the way the token is being obtained.

    Delegated permissions are only available in a delegated authentication flow, so you should use a delegated authentication flow to obtain an access token, such as the auth code flow or ROPC flow (Not really recommended, as it will write the password plaintext in the request to generate the token.).

    If you don't know much about this, I suggest you refer to this article to regenerate your token. This article has more detailed steps: Get access on behalf of a user.

    Secondly, this could also be caused by you being given incorrect permissions.

    I would suggest that you confirm with the administrator who gave you the permissions that you were given permissions under Microsoft Graph and not SharePoint and that these permissions have been agreed to by the administrator.

    Screenshot 2024-11-22 102707

    Setting it up incorrectly will result in the token being generated not containing the permissions at all, thus resulting in the scp part being missing.

    Finally, for your newly generated token, we recommend that you use this JWT tool to parse it, mainly checking that the token has the scp part and has the permissions you need.

    Note: This link is non-official, just for reference.

    If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".

    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

1 additional answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. David S 20 Reputation points
    2024-12-09T09:29:44.6366667+00:00

    Dear Ling_Zhou,

    Many thanks for taking the time out to help me. It really is appreciated.

    To be honest, I need to go through what you said and re-make a delegated API. Previously when trying to use Sites.Selected with delegation and oauth, there were no roles or scope in the access token. I moved to an application API instead, which when I thought about it, it suits my needs better. After moving to an application API, scopes and roles became present in the access token, and I was able to use M365 CLI to set the roles. I will mark your answer as the accepted one, but like I said, I'm not sure that you can have Sites.Selected on delegation with oauth. However, I could be wrong, I need to revisit it and check. Again, many thanks for your help.

    David

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.