Skip to content

SharePoint Online addin only authentication

Zbyszek Tenerowicz edited this page Jun 23, 2020 · 2 revisions

This type of authentication uses addin only policy and OAuth bearer tokens for authenticating http requests.

Credentials options:

  • clientId - required string, client id obtained when registering the addin

  • clientSecret - required string, client secret obtained when registering the addin

  • realm - optional string, your SharePoint Online tenant id. You can leave it empty or fill in, that will add small (really small) performance improvement. The easiest way to find tenant is to open SharePoint Online site collection, click Site Settings -> Site App Permissions. Under this page you wll see at least one app "Microsoft.SharePoint". The tenant id (realm) is highlighted in the image below:

    realm

Example:

{
  clientId: '28bq7e56-8c3a-487d-hbfb-ef1a74539cbe',
  clientSecret: 's6LZ4VvoeKOS+MyAhklcavsyJBF4XhWo06OgY6czYJ0=',
  realm: '85e5f09b-4c17-4d80-afea-260bb171c456'
}

Resolving object:

{
  headers: {
     'Authorization': 'Bearer <token>'
   }
}

Configuration required:

For this authentication to work you need to register new addin inside SharePoint Online.
Steps:

  1. Open SharePoint Online app registration page, https://contoso.sharepoint.com/sites/dev/_layouts/15/appregnew.aspx

  2. Click on 'Generate' for Client id and Client Secret, fill in Title, App Domain, Redirect URI (you can type in any values you want)

    app reg new

  3. Click on 'Create' and save generated Client Id and Client Secret

  4. Now you need to apply permissions to the newly registered app. If you want to register the app once and use it for any site collection, it's better to apply tenant scope permissions, so you can use this credentials everywhere inside your SharePoint tenant. In order to apply tenant scoped permissions, open AppInv.aspx page under SharePoint adminstration web site, i.e. https://[organizaiton]-admin.sharepoint.com/_layouts/15/appinv.aspx, copy paste Client Id from step 3 into App Id field and click 'Lookup'.

  5. You will see your registerd app, paste in following xml into the 'Permission Request XML:' field and click 'Create' (note: tenant administrator rights required):

    <AppPermissionRequests AllowAppOnlyPolicy="true">
      <AppPermissionRequest Scope="http://sharepoint/content/tenant" Right="FullControl" />
    </AppPermissionRequests>

    app permissions

  6. You will see addin 'Trust' confirmation, click on 'Trust It':

    app trust it

if trust-it button is not enabled and you get a red label saying tenant admin needs to trust the app, go back and try again in a few minutes.

  1. Now you can use client id and client secret to send authenticated http requests across your SharePoint tenant.

  2. If you don't have tenant administrator rights, you can register the app on regular site collection by using url https://contoso.sharepoint.com/sites/dev/_layouts/15/appinv.aspx. In this case you are not able to use tenant scoped permissions and can only apply site collection permissions:

    <AppPermissionRequests AllowAppOnlyPolicy="true">
      <AppPermissionRequest Scope="http://sharepoint/content/sitecollection" Right="FullControl" />
    </AppPermissionRequests>

    You need to do that for every site collection you want to send http queries.

Sample using:

import * as spauth from 'node-sp-auth';
import * as request from 'request-promise';

spauth
  .getAuth('https://[organization].sharepoint.com/sites/dev/', {
    clientId: '28bd7e56-8c3a-487d-bbfb-ef1a74539cbe',
    clientSecret: '[your secret]',
    realm: '85e5f09b-4c17-4d80-afea-260bb171c456'
  })
  .then(data => {
    var headers = data.headers;
    headers['Accept'] = 'application/json;odata=verbose';

    request.get({
      url: 'https://[organization].sharepoint.com/sites/dev/_api/web',
      headers: headers,
      json: true
    }).then(response => {
      console.log(response.d.Title);
    });
  });