SharePoint Online CSOM authentication type

Question

Hi all, I was looking through my product due to Basic Auth deprecation(ref https://learn.microsoft.com/en-us/exchange/clients-and-mobile-in-exchange-online/deprecation-of-basic-authentication-exchange-online).

But I cannot find any proper information about authentication type used by CSOM library.

For example, if I write following code:

ICredentials creds = new SharePointOnlineCredentials((string)username, (SecureString)securePassword);  
  
var context = new ClientContext(url) { Credentials = creds };

Which flow will context be using? Is it Basic auth or OAuth?

Accepted Answer

Hi @Ilya Laschenko
Per my research, CSOM authentication is based on basic authentication. Basic auth doesn’t support scoping or grading permissions, so every app which connects with the basic auth protocol, gains potential access to all data a certain user has access to. As the describetion in the document you provided

Basic authentication simply means the application sends a username and password with every request, and those credentials are also often stored or saved on the device. Traditionally, Basic authentication is enabled by default on most servers or services, and is simple to set up.

The credential is stored in context and you always need to load it when get items from sharepoint by CSOM. So the CSOM authentication type is Basic Authentication.

If you want to use authentication based on Oauth 2.0, I will recommend you to use SharePoint App-only using PnP Framework.

string siteUrl = "https://contoso.sharepoint.com/sites/demo";  
using (var cc = new AuthenticationManager().GetACSAppOnlyContext(siteUrl, "[Your Client ID]", "[Your Client Secret]"))  
{  
    cc.Load(cc.Web, p => p.Title);  
    cc.ExecuteQuery();  
    Console.WriteLine(cc.Web.Title);  
};

Here is the document for more details
https://learn.microsoft.com/en-us/sharepoint/dev/solution-guidance/security-apponly-azureacs

If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

Answer

I think the answer to your question is neither :)

It's actually using Cookie based auth where password is only sent once before receiving a cookie, as per:

https://learn.microsoft.com/en-gb/sharepoint/authentication

Basic auth is when username and password is sent every single request (this is not what CSOM does)

OAuth is when you authenticate against a trusted authentication provider and receive an access token with an expiry that can be used for subsequent requests.

Recommended approach is to create an Azure AD app, assign it the minimum permissions it requires and use its client app id and secret to get an access token.

You could also authenticate via PnP if the PnP App is enabled in your tenancy (if using Powershell)

Answer

So to answer your original question - does the Basic Auth deprecation affect the authentication flow with SharePointOnlineCredentials? The answer is no it does not, however best to look for alternatives.

See this article:

https://learn.microsoft.com/en-us/sharepoint/dev/sp-add-ins/using-csom-for-dotnet-standard

From the article in relation to the 'SharePointOnlineCredentials' class it basically says that if you're using .NetFramework then you can still use it, however for .Net Standard and .Net Core this is not available.

I have verified this by testing 'SharePointOnlineCredentials' class in:

.Net Console App (.Net Framework) - Works

.Net Console App (.Net Core 3.1) - Does not work

PowerShell (.Net Framework) - Works

Also note that the 'SharePointOnlineCredentials' class does not appear to work if you go to SharePoint admin centre, Policies -> Access Control-> Apps that don't use modern authentication (https://_layouts/15/online/AdminHome.aspx#/accessControl/LegacyAuthentication) and set this to 'block access'

So as at 18 Jan 2023 the following code works when in .Net Framework but not .Net Core (or .Net Standard) if the Legacy authentication is set to 'Allow Access':


            string siteUrl = ""
            string username = "";
            string password = "";
            var securePassword = new SecureString();
            foreach (char c in password.ToCharArray())
            {
                securePassword.AppendChar(c);
            }

            var onlineCredentials = new Microsoft.SharePoint.Client.SharePointOnlineCredentials(username, securePassword);

            var clientContext = new ClientContext(siteUrl)
            {
                Credentials = onlineCredentials
            };
      
            Web web = clientContext.Web;
            clientContext.Load(web);
            clientContext.ExecuteQuery();
            Console.WriteLine(web.Title);

And the following powershell will also work (as it's .Net Framework) if the legacy authentication is set to 'Allow Access':

$psCredential = Get-Credential
$username = $psCredential.GetNetworkCredential().UserName
$password = $psCredential.GetNetworkCredential().Password
$securePassword = ConvertTo-SecureString -String $password -AsPlainText -Force
Add-Type -LiteralPath ("\Microsoft.SharePoint.Client.dll") -PassThru | out-null
$context = New-Object -TypeName Microsoft.SharePoint.Client.ClientContext -ArgumentList ("")
$context.Credentials = New-Object Microsoft.SharePoint.Client.SharePointOnlineCredentials($username, $securePassword)
$web = $context.Web
$context.Load($web)
$context.ExecuteQuery()
$web.Title

If you are working in multiple tenancies there is no guarantee that this setting will be on, so best bet is to go the app model going forward. The Azure AD App model is the recommended way, however the SharePoint app method will work and is a little easier to set up and you can do it as a SharePoint administrator:
https://learn.microsoft.com/en-us/sharepoint/dev/solution-guidance/security-apponly

Share via

SharePoint Online CSOM authentication type

2 additional answers