Calling SharePoint REST API from a Teams Tab with single sign-on (SSO)

Nikolay Belykh 1 Reputation point
2021-03-11T19:55:17.837+00:00

I have a Teams Tab application with single sign-on (SSO) that needs to do some manipulations with the team's site. I understand this can be done with graph API, and it works perfectly (there are examples available). However graph sharepoint api is very limited; for example, I would like to create a view of a list, and a page. Graph API does not provide this.

So I would like to do the things I need to do with REST API (or CSOM). For that, I need a proper access token to be able to call it. If I try to grat access to SharePoint app registration (i.e. giving sharepoint read permission for example in addition to "Sites.Read.All" graph permission), it does not seem to work. I keep getting error "Invalid issuer or signature" when trying to call into SharePoint REST API. How can I overcome this?

There are examples that illustrate this flow for graph.
My problem is that this flow does not work for APIs other than graph (SharePoint REST API in particular)
https://github.com/wictorwilen/teams-sso-tab-demo

What I do:

  1. Get teams client token using microsoftTeams.authentication.getAuthToken()
  2. Trade this token server-side using https://login.microsoftonline.com/{tid}/oauth2/v2.0/token endpoint for access token (https://learn.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-on-behalf-of-flow)
  3. Call the API ===<<<< here I would like to be able to call SharePoint REST API (graph API call succeeds). However, if I try to, even if the token contains all possible "SharePoint" permissions, I keep getting the error "Invalid issuer or signature". To clarify:

This call works: https://graph.microsoft.com/v1.0/sites/root
This call fails: https://{tenant}.sharepoint.com/_api/web

Similar question:
https://sharepoint.stackexchange.com/questions/220642/oauth-authentication-for-sharepoint-rest-api

Microsoft Teams Development
Microsoft Teams Development
Microsoft Teams: A Microsoft customizable chat-based workspace.Development: The process of researching, productizing, and refining new or existing technologies.
2,890 questions

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Mamatha-MSFT 156 Reputation points
    2021-03-29T11:32:41.51+00:00

    Posting the Answer for better knowledge
    Copying from @Nikolay Belykh comments

    Got a working answer from Jeremy Kelley here:
    https://stackoverflow.com/questions/66387090/call-sharepoint-rest-api-from-teams-tab?noredirect=1#comment118118435_66387090

    You need to put the scope of "https://{your-target-domain}/.default" (or "https://{your-target-domain}/AllSites.Read", etc) in the grant flow.
    Then you need to put the same scope in the on-behalf-of flow.

    It is just when you register app in AzureAD, the sharepoint-scope is shown as "https://microsoft.sharepoint-df.com/AllSites.Read"; but you should NOT use this when requesting the token but instead you should use the target domain for which you are requesting the token. In both calls (grant and then exchange). The URL in the azure ad portal seems to be just an example URL, not the real scope URL one should use.

    0 comments
  2. Justin Jia 306 Reputation points
    2021-07-05T07:45:49.473+00:00

    i want to call asp.net core web api securitied by microsoft-identity-web
    https://github.com/AzureAD/microsoft-identity-web/wiki/web-apis

    how do i setup the scope ?

    0 comments