Expona
Context-trained AI agent delivering noise-free, cost-efficient conversational intelligence
As a SharePoint developer, you are aware that SharePoint provides OAuth Authorization services to generate access token from SharePoint using its own prerequisites. However, this approach has its own limitations. We can generate same token without using OAuth Authorization provided by SharePoint. In this blog, I will take you through the process of generation of Bearer Token for a custom third party client application to authenticate and authorize with SharePoint and perform operations on SharePoint data using the generated access token.
When a user signs in to SharePoint, the user’s security token is validated. The token is issued by an identity provider. SharePoint supports several kinds of user authentication. For more information on this, see Authentication, authorization, and security in SharePoint 2013.
In SharePoint 2013, we can create apps using SharePoint Add–Ins. These Add-Ins are also required to be authenticated and authorized with SharePoint. These Add-ins can be authenticated and authorized in several different ways. For more information on this, see Three authorization systems for SharePoint Add-ins.
As mentioned, for all the given authorization systems to get access tokens for logged in user, either we need to create a high trust using certificates or we need to register with Microsoft Azure Access Control Service (ACS). In both these scenarios, our custom site requires to be configured with secure access i.e. HTTPS protocol with high trust certificates.
So, the workaround to create access tokens from SharePoint site other than the options provided by Microsoft is creating a custom ASP.Net Web API using OWIN.
OWIN is an Open Web Interface for .Net which acts as a middleware OAuth 2.0 authorization server between SharePoint site and a third party client application. OWIN defines a standard interface between .NET web servers and web applications.
Using ASP.Net Web API and OWIN, we can authenticate and authorize users with SharePoint site and generate access token for this user, and further use this access token for CRUD operations on SharePoint site using SharePoint REST API’s by passing the “Bearer” access token in the headers of the query.
To perform CRUD operations on SharePoint content using SharePoint REST APIs, there are different ways to pass authorization:
The First option stated above cannot be used in a custom third party client application as it does not understand the default credentials. The Second option stated above passes username, password and the domain in which the user needs to be authorized, which will cause a security threat as the client application will need to store user’s password and send it whenever required.
SharePoint 2013 uses OAuth 2.0 Authorization framework for Bearer Token usage in SharePoint Add-Ins. Once the access token is generated, the custom application can use this token to perform CRUD operations on SharePoint 2013 content using SharePoint REST APIs. This token is sent through headers from the code that is running on a browser client. You will not need access token if you are making this call from a SharePoint hosted app add-in.
In a similar way, we can generate access token in ASP.Net Web API and OWIN by passing in the username and password for the first time. Once the access token is generated, we can use this token for CRUD operation for SharePoint REST APIs.
Below are the steps to generate access token using OWIN
Wasn’t that simple? Do try this approach and let me know how it goes for you.