SharePoint is a web-based collaborative platform that integrates with Microsoft Office. Launched in 2001, SharePoint is primarily sold as a document management and storage system, but the product is highly configurable and usage varies substantially among organizations.

Microsoft is supporting OpenID connect at the top of the OAuth 2.0 protocol. OAuth 2.0 helps to define the flow to get the access token by which protected resources can be accessed. This is the explicit flow of authentication with Office365 from the web application. The OpenID is a great way when Office 365 authentication is needed within a web application. Let’s consider a use case where we need to integrate the Office 365 libraries like Graph APIs or SharePoint.

Register AD app with your AD Tenant

To begin with the authentication process, let’s first create Azure AD app with Azure Active Directory Tenant. It will assign you the Application ID to get the id_token, code and access_token.

1. Login to Azure Portal

2. Choose your Azure AD Tenant (you can pick from the top right corner of the page)

3. Click on App Registration

5. Select the application type as Web app/API.

6. Provide the Sign-on URL (the base URL of your web application) for e. g https://www.myweb.com

7. Once you have completed the registration process, Azure AD will assign the ApplicationID to your application, and you can copy it and save it for use in future.

After registering the AD App, now set the Reply URL to receive tokens from Azure AD app.

Set the Reply URL to receive the tokens

To get the tokens and other details from Azure AD, you will require to setup the Callback URL/endpoint. This endpoint will be used by Azure AD to provide the tokens to your web application. To setup the Reply URL/Callback/Endpoint click on Reply URLs and add new.

  1. Click on Settings and under GENERAL, and click on Reply URLs
  2. Paste your Web App URL.

Set Required permissions

To access the protected resources, you need to assign the required permission

  1. Go to Require Permission property
  2. Select the required APIs from Settings-> Required permissions -> Click on Add-> Selected API
  3. Now assign permission for the selected APIs
  4. Select the desired permission – APPLICATION PERMISSION ot DELGATED PERMISSIONS
  5. Click on Save

Note that there are certain permissions that are assigned by the administrator only.

Generate Client Keys/Password

After granting the required permissions, you will need a key which is also called client_secret.

To generate the key, follow the steps below:

  1. Type the name of the key in the Description
  2. Set the Expires duration and click on the Save
  3. Once you saved the key, you will be able to see the keys, which you can copy and save it to a secure location because it will show only once.

Authentication flow using OpenID Connect

Send the sign-in request

When a web application needs to authenticate the user, he must direct to the /authorize endpoint. The request needs few parameters:

  1. The request must include scope = “openid”
  2. The response type parameter will be response_type=”id_token+code”
  3. The request must include the nonce parameter with a random value

The sample request will look like this

GET https://login.microsoftonline.com/{tenant}/oauth2/authorize?

client_id=<application id>

&response_type=id_token+code

&redirect_uri=http://mysampleapp.com/callback

&response_mode=form_post

&scope=openid

&state=12345

&nonce=<Random value>

In the request header of your callback, you will get the few parameters

  • Id_token
  • code
  • state

Wait, you are not done here; to get access tokens you need to call another endpoint.

Get the access tokens

Need Help in Sharepoint? Contact Us

To get the access token, you need to modify the above sign-in request

GET https://login.windows.net/tmaasindia.com/oauth2/token?api-version=1.0

client_id=< Your registered Application Id>

client_secret=<Your secret key saved earlier>

& grant_type=authorization_code

&redirect_uri= http://mysampleapp.com/callback

&response_mode=form_post                         

&scope=openid

&resource=https://service.contoso.com/                                    

&state=12345                                        

&nonce=678910

On the successful response, you will get the request header parameters, mentioned below:

 

  “access_token”: “”,

  “token_type”: “Bearer”,

  “expires_in”: “3600”,

  “expires_on”: “”,

  “resource”: “https://service.contoso.com/”,

  “refresh_token”: “”,

  “scope”: “ AllSites.Manage AllSites.Write MyFiles.Read”,

“id_token”: “”

}

On the successful response, we will send the access token and refresh token to callback and by using this call you will be able to send the request to the office365 rest API endpoints

Refresh the access tokens

In case the access_token is expired/invalid, you can refresh the token by using the /token endpoint mentioned above and add the refresh_token parameter in your request and in response you will get a new token.

GET https://login.windows.net/tmaasindia.com/oauth2/token?api-version=1.0

client_id=< Your registered Application Id>

client_secret=<Your secret key saved earlier>

& grant_type= refresh_token

&redirect_uri= http://mysampleapp.com/callback

&response_mode=form_post                         

&scope=openid

& refresh_token=<provide the refresh_token you received earlier>

&resource=https://service.contoso.com/                                    

&state=12345                                        

&nonce=678910

On the successful response, you will get the request header parameters, mentioned below:

{

  “token_type”: “Bearer”,

  “expires_in”: “3600”,

  “expires_on”: “”,

  “resource”: “https://service.contoso.com/”,

  “access_token”: “”,

  “refresh_token”: “”

}

Send a sign-out request

To sign out from the app you must redirect the user to the end_session_endpoint. In case if user has failed to sign-out, the user will be able to reauthenticate your app without re-entering the credentials.

GET https://login.microsoftonline.com/common/oauth2/logout?

post_logout_redirect_uri= http://mysampleapp.com

Conclusion

This was just some part of the OpenID connect and OAuth0, there is much more to describe and talk about. In the next blog, I will share the implicit flow and explicit flow with working examples.

You may find these useful:

Related services & solutions

Related Blogs

Sunil Soni

Mobile App Developer

Advaiya Solutions Inc

Udaipur, Rajasthan, India

TALK TO OUR EXPERT!

Posted by Advaiya

    Let's connect to make technology work for you.





    Please tick the options most relevant to your business challenges
    Decision makingBusiness productivityCustomer experienceTechnology-led innovationDigital transformation


    [By using this form you agree with the storage and handling of your data by this website.]