0

I'm trying to build an spFx app, that uses a different user to access lists and libraries than the logged in user. The logged in user won't have the permissions to access the lists directly but only via the app. But I can't find a way to initialize sp for a different user than the currently logged in user.

The standard method just gives me the logged in user:

sp.setup({
    spfxContext: this.context
});

The setup method for nodejs looks promising but won't work within an spFx app:

sp.setup({
    sp: {
        fetchClientFactory: () => {
            return new SPFetchClient("{your site url}", "{your client id}", "{your client secret}");
        },
    },
});

I also calling sharepoint via MSAL:

sp.setup({
    sp: {
        fetchClientFactory: MsalClientSetup({
            auth: {
                authority: "https://login.microsoftonline.com/mytentant.onmicrosoft.com",
                clientId: "00000000-0000-0000-0000-000000000000",
                redirectUri: "https://mytentant.sharepoint.com/sites/dev/SitePages/test.aspx",
            },
        }, ["https://mytentant.sharepoint.com/.default"]),
    },
});

But as soon as I access sp I get this error:

Unhandled Rejection (Error): You must supply absolute urls to MsalClient.fetch.

Also I don't see any option to provide the client secret in this MSAL logic.

I hope anybody can point me in the right direction. Thanks in advance!

Romano Zumbé
  • 7,893
  • 4
  • 33
  • 55
  • Wouldn't this mean that anybody can act as that "another user"? I mean, looks you want to give access to everyone to your lists... does it sound reasonable? MSAL assumes that you log in as that different user, or? I mean, the user should specify username/password/TAC of to login. – Nikolay Dec 16 '20 at 23:21
  • Yes, while using the SpFx webpart everybody with access to it would act as that user. But they wouldnt be able to access list directly but only via the webpart, which is exactly the idea – Romano Zumbé Dec 17 '20 at 07:38
  • I think this is "security through obscurity" idea. The web part runs in user's browser, so users can do whatever they want there, tweaking proper requests. To have ANY security you need server-side code (consider azure function for example). – Nikolay Dec 17 '20 at 11:50
  • That sounds about right! I will look into Azure functions. Thank you! – Romano Zumbé Dec 18 '20 at 12:38

0 Answers0