0

We have been trying to make requests to sharepoint using CSOM/REST Authentication Bearer header requests with a token. It is related to this question below:

C# CSOM Sharepoint Bearer request from azure active directory

There is only one link/example that works all others including the android ADAL approach don't work.

https://samlman.wordpress.com/2015/02/27/using-adal-access-tokens-with-o365-rest-apis-and-csom/

They don't seem to return as long a token, when we look at the token in JWT parser, we can see that the scp value is different, the one that fails has user_impersonate, but the working one has AllSites.Manage AllSites.Read AllSites.Write MyFiles.Read MyFiles.Write. The aud url is also different, are one or both of these the problem and how do I get it working?

This is the ones that fails:

{
  "aud": "https://srmukdev.onmicrosoft.com/3Squared-Api-Test",
  "iss": "...",
  "iat": ...,
  "nbf": ...,
  "exp": ..,
  "acr": "...",
  "aio": "...",
  "amr": [
    "pwd",
    "mfa"
  ],
  "appid": "...",
  "appidacr": "0",
  "e_exp": ...,
  "family_name": "...",
  "given_name": "...",
  "ipaddr": "...",
  "name": "...",
  "oid": "...",
  "onprem_sid": "...",
  "platf": "3",
  "scp": "user_impersonation",
  "sub": "...",
  "tid": "...",
  "unique_name": "...",
  "upn": "...",
  "ver": "1.0"
}

This is the ones that works:

{
  "aud": "https://srmukdev.sharepoint.com/",
  "iss": "...",
  "iat": ...,
  "nbf": ...,
  "exp": ...,
  "acr": "...",
  "aio": "...",
  "amr": [
    "pwd",
    "mfa"
  ],
  "app_displayname": "...",
  "appid": "...",
  "appidacr": "0",
  "e_exp": ...,
  "family_name": "...",
  "given_name": "...",
  "ipaddr": "...",
  "name": "...",
  "oid": "...",
  "onprem_sid": "...",
  "platf": "3",
  "puid": "...",
  "scp": "AllSites.Manage AllSites.Read AllSites.Write MyFiles.Read MyFiles.Write",
  "sub": "...",
  "tid": "...",
  "unique_name": "...",
  "upn": "...",
  "ver": "1.0"
}
Andrew
  • 2,571
  • 2
  • 31
  • 56

1 Answers1

1

The access token is for the specific resource by checking its aud claim. The first token is used for authentication for your custom resource.

To get the token for the specific resource, we can use the parameter resource to specify which resource we want to request for the token. For example, if I want to get the token for the Microsoft Graph resource, we can construct the request like below:

POST /{tenant}/oauth2/token HTTP/1.1
Host: https://login.microsoftonline.com
Content-Type: application/x-www-form-urlencoded
grant_type=authorization_code
&client_id=2d4d11a2-f814-46a7-890a-274a72a7309e
&code=AwABAAAAvPM1KaPlrEqdFSBzjqfTGBCmLdgfSTLEMPGYuNHSUYBrqqf_ZT_p5uEAEJJ_nZ3UmphWygRNy2C3jJ239gV_DBnZ2syeg95Ki-374WHUP-i3yIhv5i-7KU2CEoPXwURQp6IVYMw-DjAOzn7C3JCu5wpngXmbZKtJdWmiBzHpcO2aICJPu1KvJrDLDP20chJBXzVYJtkfjviLNNW7l7Y3ydcHDsBRKZc3GuMQanmcghXPyoDg41g8XbwPudVh7uCmUponBQpIhbuffFP_tbV8SNzsPoFz9CLpBCZagJVXeqWoYMPe2dSsPiLO9Alf_YIe5zpi-zY4C3aLw5g9at35eZTfNd0gBRpR5ojkMIcZZ6IgAA
&redirect_uri=https%3A%2F%2Flocalhost%2Fmyapp%2F
&resource=https%3A%2F%2Fservice.contoso.com%2F
&client_secret=p@ssw0rd

If you want to acquire the access token for https://srmukdev.sharepoint.com/, you need to assign the value of resource parameter with https://srmukdev.sharepoint.com/ in the request according to the flow you were using.

More detail about the flows Azure AD support to acquire access token, you can refer the link below:

Azure Active Directory Authentication Protocols

Fei Xue
  • 14,369
  • 1
  • 19
  • 27
  • Hi Fei Xue, yes that was the problem, the resource name was what needed to change. I can now get access using the bearer token, don't seem to be able to get the user user profile properties using GetUserProfilePropertiesFor method but will raise that as another question. many thanks – Andrew Jul 28 '17 at 12:27