After getting auth token for SharePoint online get HTTP 401 with it

Andrii Mykhailiuk 1 Reputation point
2019-12-24T15:19:51.46+00:00

Moved from Windows Dev Center Forum

Hello,

I am developing native app: C++ with HTTP so please don't suggest .NET or JavaScript libraries :) The app should access SharePoint Online. I used to use X-Forms-Auth and "FedAuth" cookie but now need to migrate to OAuth.

1) I have registered the app in azure portal (got secret, marked redirect URI, added read/write permissions for SharePoint)

2) Then I perform OAuth flow by opening browser with

https://login.microsoftonline.com/common/oauth2/authorize
?client_id=
&response_type=code
&redirect_uri=https://login.microsoftonline.com/common/oauth2/nativeclient
&resource=https://testorg.sharepoint.com/

it redirects to my redirect URI and I parse out the code, as expected. Then I do

POST https://login.microsoftonline.com/b51447fd-f997-4080-bf24-833070bc14bd/oauth2/token
client_id=
&client_secret=
&grant_type=authorization_code
&redirect_uri=https://login.microsoftonline.com/common/oauth2/nativeclient
&resource=https://testorg.sharepoint.com/
&response_mode=form_post
&code=

this also returns the expected JSON from where I get "access_token".

3) Later I call any SharePoint/WebDav API (e.g. SOAP UserGroup.asmx/GetCurrentUserInfo, Webs.asmx/WebUrlFromPageUrl) on https://testorg.sharepoint.com with the obtained token in auth header (Authorization:Bearer ) but get 401. However, all works fine when I follow X-Forms-Auth.

Here are permissions from
JWT:

AllSites.Manage MyFiles.Read MyFiles.Write TermStore.Read.All TermStore.ReadWrite.All User.Read User.Read.All User.ReadWrite.All  

alt text

Can anyone help me here, please?

PS: I was advised to ask under SharePoint Online product but there is no such product here

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
20,208 questions
{count} votes

3 answers

Sort by: Most helpful
  1. FrankHu-MSFT 976 Reputation points
    2019-12-27T01:20:49.233+00:00

    I'm following up on this. We will need some more information in regards to this, can you please provide the information that Shashi was requesting? If you can get a fiddler trace and provide the error response that would be much more beneficial. Are you sure that the token has the right permissions/scps?

    You can decode your JWT Tokens here : https://jwt.ms/

    The Claims tab will also provide an explanation of what the claims in your JWT token are supposed to do.

    Also, it's suggested to utilize the microsoft graph api when possible. The sharepoint rest api should be available on the msft graph API: https://learn.microsoft.com/en-us/graph/api/resources/sharepoint?view=graph-rest-1.0

    The Azure Q&A Forums do not support Sharepoint as they are still on the MSDN Forums. These forums can be found here :
    https://social.msdn.microsoft.com/Forums/en-US/home?category=openspecifications
    Protocol Reference can be found here:
    https://learn.microsoft.com/en-us/openspecs/sharepoint_protocols/ms-spprotlp/8a50af28-2b50-43d8-9c5a-3e520255ef7e

    Specifically for OAuth2 and Sharepoint Servers, you can find the technical docs on implementation here : https://learn.microsoft.com/en-us/openspecs/sharepoint_protocols/ms-sps2sauth/f80a09df-8e0e-434f-93bd-a348d52a8022

    Accessing the Sharepoint Server API call you are referring to is going to be dependent on the Sharepoint Server's OAuth Authentication. The technical doc provided above is a part of the same doc repo as the getCurrentUserInfo API call as it's a part of the openspec, so I would suggest making sure that your implementation follows the technical doc.

    GetCurrentUserInfo reference : https://learn.microsoft.com/en-us/openspecs/sharepoint_protocols/ms-asws/d8bf93a5-69b4-4d3c-9154-d5bc1eaa542f


  2. Michael Maillot 1 Reputation point MVP
    2020-11-13T15:51:25.21+00:00

    Hi Andrii,

    The problem is that in AAD Application Permission Context, you can't interact with a SharePoint site using the Client ID / Secret method. The only way is to use the Client ID / JWT Assertion method, which means by certificate.

    I've made an answer about that here.

    As you're working on C++, it looks like there's no MSAL for it at this time... So if you have to get a token through HTTPS requests, you have to construct the JWT Assertion.

    @Jeremy Thake give links here about how stuff works and what you need to do in order to get your token.

    And beware if you get your token and want to update the SharePoint User Profile or update the Term Store: it won't work. To update the User Profile, you have to use the legacy SharePoint App-Only principal approach. But the update of the Term Store is not possible anyway. More info here.

    Hope that it helps.

    0 comments No comments

  3. Holpar, Peter 1 Reputation point
    2021-06-05T22:13:23.51+00:00

    See this response regarding the same issue:
    Web Services - 401 UNAUTHORIZED

    Actually this is expected, because add-in auth uses OAuth and bearer tokens for authentication. Only modern REST API supports it. That's why all asmx services will throw an error.
    So for asmx you need FedAuth cookie, which is generated only by username\password auth, which, in turn, doesn't work for you

    0 comments No comments