1

Context

We have a Logic App in our tenant that, triggered by the presence of certain files in our blob storage, must copy them to our customer's Sharepoint Online. It is basically a drop-folder for reciprocal data exchange (yes, we will be picking files from Sharepoint the next episode).

We have created a simple task in Azure Logic App to list Sharepoint files. It is configured in order for site url and folder to scan to be mapped by parameters at runtime.

GUI model

{
    "inputs": {
        "host": {
            "connection": {
                "name": "@parameters('$connections')['sharepointonline_1']['connectionId']"
            }
        },
        "method": "get",
        "path": "/datasets/@{encodeURIComponent(encodeURIComponent(triggerBody()?['SiteAddress']))}/tables/@{encodeURIComponent(encodeURIComponent(triggerBody()?['LibraryName']))}/getfileitems",
        "queries": {
            "folderPath": "@triggerBody()?['FolderPath']",
            "viewScopeOption": "Default"
        }
    }
}

When we test this on our Sharepoint online (e.g. SiteUrl being https://contoso.sharepoint.com it works with our API connection).

When we need to reach the customer's Sharepoint, we will be pointing to something like https://acme.sharepoint.com and the user in the connection API (user@contoso.com) is already authorized by the IT department of the foreign company as a guest user in AD Online to access Sharepoint Online.

Problem

When we run the Logic App onto the customer's Sharepoint, it fails because of an authentication error

Input parameters:

{
    "headers": {
        "Connection": "Keep-Alive",
        "Expect": "100-continue",
        "Host": "prod-238.westeurope.logic.azure.com",
        "Content-Length": "241",
        "Content-Type": "application/json"
    },
    "body": {
        "BlobPath": "/readme.txt", #blob storage pattern
        "SiteAddress": "https://acme.com/sites/example",
        "SiteRootFolder": "foo", #blob storage folder
        "LibraryName": "bar", #sharepoint library
        "FolderPath": "spam" #sharepoint folder
    }
}

Against these parameters (redacted), the outcome of the "Get Files (properties only)" step was: Unauthorized

Input

{
    "method": "get",
    "queries": {
        "folderPath": "spam",
        "viewScopeOption": "Default"
    },
    "path": "/datasets/https%253A%252F%252Facme.sharepoint.com%252Fsites%252Fexample/tables/bar/getfileitems",
    "host": {
        "connection": {
            "name": "/subscriptions/0000000000000000000000/resourceGroups/example/providers/Microsoft.Web/connections/sharepointonline"
        }
    }
}

Output:

{
    "statusCode": 401,
    "headers": {
        "x-ms-diagnostics": "3000003;reason=\"Invalid audience Uri 'https://acme.sharepoint.com/'.\";category=\"invalid_client\"",
        "SPRequestGuid": "985ae0eb-e96a-4484-8f02-056c7718fa6f",
        "request-id": "985ae0eb-e96a-4484-8f02-056c7718fa6f",
        "MS-CV": "6+BamGrphESPAgVsdxj6bw.0",
        "Strict-Transport-Security": "max-age=31536000",
        "X-FRAME-OPTIONS": "SAMEORIGIN",
        "Content-Security-Policy": "frame-ancestors 'self' teams.microsoft.com *.teams.microsoft.com *.skype.com *.teams.microsoft.us local.teams.office.com *.powerapps.com *.yammer.com *.officeapps.live.com *.office.com *.stream.azure-test.net *.microsoftstream.com *.dynamics.com;",
        "SPRequestDuration": "12",
        "SPIisLatency": "1",
        "MicrosoftSharePointTeamServices": "16.0.0.21924",
        "X-Content-Type-Options": "nosniff",
        "X-MS-InvokeApp": "1; RequireReadOnly",
        "Timing-Allow-Origin": "*",
        "x-ms-apihub-cached-response": "false",
        "Cache-Control": "private",
        "Date": "Fri, 10 Dec 2021 11:02:29 GMT",
        "P3P": "CP=\"ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI\"",
        "WWW-Authenticate": "Bearer realm=\"d9dbc877-29e4-4473-9855-d3db78ae431b\",client_id=\"00000003-0000-0ff1-ce00-000000000000\",trusted_issuers=\"00000001-0000-0000-c000-000000000000@*,D3776938-3DBA-481F-A652-4BEDFCAB7CD8@*,https://sts.windows.net/*/,00000003-0000-0ff1-ce00-000000000000@90140122-8516-11e1-8eff-49304924019b\",authorization_uri=\"https://login.windows.net/common/oauth2/authorize\"",
        "X-Powered-By": "ASP.NET",
        "Content-Length": "130",
        "Content-Type": "application/json"
    },
    "body": {
        "error_description": "Exception of type 'Microsoft.IdentityModel.Tokens.AudienceUriValidationFailedException' was thrown."
    }
}

Investigation

I have tried to read this question but it looks like lower-level programming. We are using Azure Logic Apps that authenticate themselves independently. We are not coding in lanuages such as C# to manage the app authentication

I have tried to read this post but both the front end is slightly changed, and we have triple-checked that the connection is correct and user@contoso.com can access ACME sharepoint

Looks like, judging from the error, that Azure Logic App tries to obtain a JWT token from Microsoft Online whose audience (aud) is https://acme.sharepoint.com which should be correct, but Sharepoint is refusing it claiming to be bad audience.

In OAuth/JWT, it is normal for a resource service to reject tokens when audience does not match self.

Question

Why does Sharepoint Online refuse the authentication?

We have no visibility over the user configuration on the foreign side, but I would be glad to ask the correct questions to the other IT.

usr-local-ΕΨΗΕΛΩΝ
  • 26,101
  • 30
  • 154
  • 305

0 Answers0