SharePoint is a web-based collaborative platform that integrates with Microsoft Office. Launched in 2001, SharePoint is primarily sold as a document management and storage system, but the product is highly configurable and usage varies substantially among organizations.
Microsoft is supporting OpenID connect at the top of the OAuth 2.0 protocol. OAuth 2.0 helps to define the flow to get the access token by which protected resources can be accessed. This is the explicit flow of authentication with Office365 from the web application. The OpenID is a great way when Office 365 authentication is needed within a web application. Let’s consider a use case where we need to integrate the Office 365 libraries like Graph APIs or SharePoint.
Register AD app with your AD Tenant
To begin with the authentication process, let’s first create Azure AD app with Azure Active Directory Tenant. It will assign you the Application ID to get the id_token, code and access_token.
1. Login to Azure Portal
2. Choose your Azure AD Tenant (you can pick from the top right corner of the page)
3. Click on App Registration
4. Provide the desired name of the application.
Author Recommended
WCF SERVICE ON TOP OF SHAREPOINT 2016
HOW TO EXPORT AN OUT OF THE BOX (OOTB) LIST VIEW WEB PART IN SHAREPOINT
5. Select the application type as Web app/API.
6. Provide the Sign-on URL (the base URL of your web application) for e. g https://www.myweb.com
7. Once you have completed the registration process, Azure AD will assign the ApplicationID to your application, and you can copy it and save it for use in future.
After registering the AD App, now set the Reply URL to receive tokens from Azure AD app.
Set the Reply URL to receive the tokens
To get the tokens and other details from Azure AD, you will require to setup the Callback URL/endpoint. This endpoint will be used by Azure AD to provide the tokens to your web application. To setup the Reply URL/Callback/Endpoint click on Reply URLs and add new.
- Click on Settings and under GENERAL, and click on Reply URLs
- Paste your Web App URL.
Set Required permissions
To access the protected resources, you need to assign the required permission
- Go to Require Permission property
- Select the required APIs from Settings-> Required permissions -> Click on Add-> Selected API
- Now assign permission for the selected APIs
- Select the desired permission – APPLICATION PERMISSION ot DELGATED PERMISSIONS
- Click on Save
Note that there are certain permissions that are assigned by the administrator only.
Generate Client Keys/Password
After granting the required permissions, you will need a key which is also called client_secret.
To generate the key, follow the steps below:
- Type the name of the key in the Description
- Set the Expires duration and click on the Save
- Once you saved the key, you will be able to see the keys, which you can copy and save it to a secure location because it will show only once.
Authentication flow using OpenID Connect
Send the sign-in request
When a web application needs to authenticate the user, he must direct to the /authorize endpoint. The request needs few parameters:
- The request must include scope = “openid”
- The response type parameter will be response_type=”id_token+code”
- The request must include the nonce parameter with a random value
The sample request will look like this
GET https://login.microsoftonline.com/{tenant}/oauth2/authorize?
client_id=<application id>
&response_type=id_token+code
&redirect_uri=http://mysampleapp.com/callback
&response_mode=form_post
&scope=openid
&state=12345
&nonce=<Random value>
In the request header of your callback, you will get the few parameters
- Id_token
- code
- state
Wait, you are not done here; to get access tokens you need to call another endpoint.
Get the access tokens
Need Help in Sharepoint? Contact Us
To get the access token, you need to modify the above sign-in request
GET https://login.windows.net/tmaasindia.com/oauth2/token?api-version=1.0
client_id=< Your registered Application Id>
client_secret=<Your secret key saved earlier>
& grant_type=authorization_code
&redirect_uri= http://mysampleapp.com/callback
&response_mode=form_post
&scope=openid
&resource=https://service.contoso.com/
&state=12345
&nonce=678910
On the successful response, you will get the request header parameters, mentioned below:
“access_token”: “”,
“token_type”: “Bearer”,
“expires_in”: “3600”,
“expires_on”: “”,
“resource”: “https://service.contoso.com/”,
“refresh_token”: “”,
“scope”: “ AllSites.Manage AllSites.Write MyFiles.Read”,
“id_token”: “”
}
On the successful response, we will send the access token and refresh token to callback and by using this call you will be able to send the request to the office365 rest API endpoints
Refresh the access tokens
In case the access_token is expired/invalid, you can refresh the token by using the /token endpoint mentioned above and add the refresh_token parameter in your request and in response you will get a new token.
GET https://login.windows.net/tmaasindia.com/oauth2/token?api-version=1.0
client_id=< Your registered Application Id>
client_secret=<Your secret key saved earlier>
& grant_type= refresh_token
&redirect_uri= http://mysampleapp.com/callback
&response_mode=form_post
&scope=openid
& refresh_token=<provide the refresh_token you received earlier>
&resource=https://service.contoso.com/
&state=12345
&nonce=678910
On the successful response, you will get the request header parameters, mentioned below:
{
“token_type”: “Bearer”,
“expires_in”: “3600”,
“expires_on”: “”,
“resource”: “https://service.contoso.com/”,
“access_token”: “”,
“refresh_token”: “”
}
Send a sign-out request
To sign out from the app you must redirect the user to the end_session_endpoint. In case if user has failed to sign-out, the user will be able to reauthenticate your app without re-entering the credentials.
GET https://login.microsoftonline.com/common/oauth2/logout?
post_logout_redirect_uri= http://mysampleapp.com
Conclusion
This was just some part of the OpenID connect and OAuth0, there is much more to describe and talk about. In the next blog, I will share the implicit flow and explicit flow with working examples.