SharePoint Online CSOM authentication type

Ilya Laschenko 31 Reputation points
2022-08-25T07:44:27.647+00:00

Hi all, I was looking through my product due to Basic Auth deprecation(ref https://learn.microsoft.com/en-us/exchange/clients-and-mobile-in-exchange-online/deprecation-of-basic-authentication-exchange-online).

But I cannot find any proper information about authentication type used by CSOM library.

For example, if I write following code:

ICredentials creds = new SharePointOnlineCredentials((string)username, (SecureString)securePassword);  
  
var context = new ClientContext(url) { Credentials = creds };  

Which flow will context be using? Is it Basic auth or OAuth?

SharePoint
SharePoint
A group of Microsoft Products and technologies used for sharing and managing content, knowledge, and applications.
9,610 questions
SharePoint Development
SharePoint Development
SharePoint: A group of Microsoft Products and technologies used for sharing and managing content, knowledge, and applications.Development: The process of researching, productizing, and refining new or existing technologies.
2,665 questions
{count} votes

Accepted answer
  1. RaytheonXie_MSFT 30,996 Reputation points Microsoft Vendor
    2022-08-26T06:45:08.627+00:00

    Hi @Ilya Laschenko
    Per my research, CSOM authentication is based on basic authentication. Basic auth doesn’t support scoping or grading permissions, so every app which connects with the basic auth protocol, gains potential access to all data a certain user has access to. As the describetion in the document you provided

    Basic authentication simply means the application sends a username and password with every request, and those credentials are also often stored or saved on the device. Traditionally, Basic authentication is enabled by default on most servers or services, and is simple to set up.

    The credential is stored in context and you always need to load it when get items from sharepoint by CSOM. So the CSOM authentication type is Basic Authentication.

    If you want to use authentication based on Oauth 2.0, I will recommend you to use SharePoint App-only using PnP Framework.

    string siteUrl = "https://contoso.sharepoint.com/sites/demo";  
    using (var cc = new AuthenticationManager().GetACSAppOnlyContext(siteUrl, "[Your Client ID]", "[Your Client Secret]"))  
    {  
        cc.Load(cc.Web, p => p.Title);  
        cc.ExecuteQuery();  
        Console.WriteLine(cc.Web.Title);  
    };  
    

    Here is the document for more details
    https://learn.microsoft.com/en-us/sharepoint/dev/solution-guidance/security-apponly-azureacs


    If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.


    2 people found this answer helpful.

2 additional answers

Sort by: Most helpful
  1. Peter Strong 10 Reputation points
    2023-01-16T02:57:20.34+00:00

    I think the answer to your question is neither :)

    It's actually using Cookie based auth where password is only sent once before receiving a cookie, as per:

    https://learn.microsoft.com/en-gb/sharepoint/authentication

    Basic auth is when username and password is sent every single request (this is not what CSOM does)

    OAuth is when you authenticate against a trusted authentication provider and receive an access token with an expiry that can be used for subsequent requests.

    Recommended approach is to create an Azure AD app, assign it the minimum permissions it requires and use its client app id and secret to get an access token.

    You could also authenticate via PnP if the PnP App is enabled in your tenancy (if using Powershell)

    1 person found this answer helpful.

  2. Peter Strong 10 Reputation points
    2023-01-18T00:06:36.21+00:00

    So to answer your original question - does the Basic Auth deprecation affect the authentication flow with SharePointOnlineCredentials? The answer is no it does not, however best to look for alternatives.

    See this article:

    https://learn.microsoft.com/en-us/sharepoint/dev/sp-add-ins/using-csom-for-dotnet-standard

    From the article in relation to the 'SharePointOnlineCredentials' class it basically says that if you're using .NetFramework then you can still use it, however for .Net Standard and .Net Core this is not available.

    I have verified this by testing 'SharePointOnlineCredentials' class in:

    .Net Console App (.Net Framework) - Works

    .Net Console App (.Net Core 3.1) - Does not work

    PowerShell (.Net Framework) - Works

    Also note that the 'SharePointOnlineCredentials' class does not appear to work if you go to SharePoint admin centre, Policies -> Access Control-> Apps that don't use modern authentication (https://<sharepoint tenancy name>_layouts/15/online/AdminHome.aspx#/accessControl/LegacyAuthentication) and set this to 'block access'

    So as at 18 Jan 2023 the following code works when in .Net Framework but not .Net Core (or .Net Standard) if the Legacy authentication is set to 'Allow Access':

    
                string siteUrl = "<your sharepoint site url>"
                string username = "<username>";
                string password = "<password>";
                var securePassword = new SecureString();
                foreach (char c in password.ToCharArray())
                {
                    securePassword.AppendChar(c);
                }
    
                var onlineCredentials = new Microsoft.SharePoint.Client.SharePointOnlineCredentials(username, securePassword);
    
                var clientContext = new ClientContext(siteUrl)
                {
                    Credentials = onlineCredentials
                };
          
                Web web = clientContext.Web;
                clientContext.Load(web);
                clientContext.ExecuteQuery();
                Console.WriteLine(web.Title);
    

    And the following powershell will also work (as it's .Net Framework) if the legacy authentication is set to 'Allow Access':

    $psCredential = Get-Credential
    $username = $psCredential.GetNetworkCredential().UserName
    $password = $psCredential.GetNetworkCredential().Password
    $securePassword = ConvertTo-SecureString -String $password -AsPlainText -Force
    Add-Type -LiteralPath ("<path to your CSOM assemblies>\Microsoft.SharePoint.Client.dll") -PassThru | out-null
    $context = New-Object -TypeName Microsoft.SharePoint.Client.ClientContext -ArgumentList ("<your sharepoint url>")
    $context.Credentials = New-Object Microsoft.SharePoint.Client.SharePointOnlineCredentials($username, $securePassword)
    $web = $context.Web
    $context.Load($web)
    $context.ExecuteQuery()
    $web.Title
    

    If you are working in multiple tenancies there is no guarantee that this setting will be on, so best bet is to go the app model going forward. The Azure AD App model is the recommended way, however the SharePoint app method will work and is a little easier to set up and you can do it as a SharePoint administrator:
    https://learn.microsoft.com/en-us/sharepoint/dev/solution-guidance/security-apponly

    1 person found this answer helpful.
    0 comments No comments