I have a Teams Tab application with single sign-on (SSO) that needs to do some manipulations with the team's site. I understand this can be done with graph API, and it works perfectly (there are examples available). However graph sharepoint api is very limited; for example, I would like to create a view of a list, and a page. Graph API does not provide this.
So I would like to do the things I need to do with REST API (or CSOM). For that, I need a proper access token to be able to call it. If I try to grat access to SharePoint app registration (i.e. giving sharepoint read permission for example in addition to "Sites.Read.All" graph permission), it does not seem to work. I keep getting error "Invalid issuer or signature" when trying to call into SharePoint REST API. How can I overcome this?
There are examples that illustrate this flow for graph.
My problem is that this flow does not work for APIs other than graph (SharePoint REST API in particular)
https://github.com/wictorwilen/teams-sso-tab-demo
What I do:
- Get teams client token using microsoftTeams.authentication.getAuthToken()
- Trade this token server-side using https://login.microsoftonline.com/{tid}/oauth2/v2.0/token endpoint for access token (https://learn.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-on-behalf-of-flow)
- Call the API ===<<<< here I would like to be able to call SharePoint REST API (graph API call succeeds). However, if I try to, even if the token contains all possible "SharePoint" permissions, I keep getting the error "Invalid issuer or signature". To clarify:
This call works: https://graph.microsoft.com/v1.0/sites/root
This call fails: https://{tenant}.sharepoint.com/_api/web
Similar question:
https://sharepoint.stackexchange.com/questions/220642/oauth-authentication-for-sharepoint-rest-api