{"id":2234,"date":"2023-03-21T10:56:30","date_gmt":"2023-03-21T09:56:30","guid":{"rendered":"https:\/\/blog.kodono.info\/wordpress\/?p=2234"},"modified":"2023-03-21T11:35:08","modified_gmt":"2023-03-21T10:35:08","slug":"connect-to-sharepoint-online-using-an-app-clientid-and-clientsecret","status":"publish","type":"post","link":"https:\/\/blog.kodono.info\/wordpress\/2023\/03\/21\/connect-to-sharepoint-online-using-an-app-clientid-and-clientsecret\/","title":{"rendered":"Connect to SharePoint Online using an app clientId and clientSecret"},"content":{"rendered":"<h3>Get <code>`clientId`<\/code> and <code>`clientSecret`<\/code><\/h3>\n<p>(<a href=\"https:\/\/github.com\/s-KaiNet\/node-sp-auth\/wiki\/SharePoint-Online-addin-only-authentication\">source<\/a>)<\/p>\n<p>You&#8217;ll need credentials: <\/p>\n<ul>\n<li><code>`clientId`<\/code> &#8211; required string, client id obtained when registering the addin<\/li>\n<li><code>`clientSecret`<\/code> &#8211; required string, client secret obtained when registering the addin<\/li>\n<li><code>`realm`<\/code> &#8211; your SharePoint Online tenant id. The easiest way to find tenant is to open SharePoint Online site collection, click <b>Site Settings<\/b> &rarr; <b>Site App Permissions<\/b>. Under this page you wll see at least one app &#8220;Microsoft.SharePoint&#8221;. The tenant id (realm) is highlighted in the image below:<br \/>\n<a href=\"https:\/\/blog.kodono.info\/wordpress\/wp-content\/uploads\/2023\/03\/realm.png\"><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/blog.kodono.info\/wordpress\/wp-content\/uploads\/2023\/03\/realm-1024x183.png\" alt=\"\" width=\"1024\" height=\"183\" class=\"aligncenter size-large wp-image-2236\" srcset=\"https:\/\/blog.kodono.info\/wordpress\/wp-content\/uploads\/2023\/03\/realm-1024x183.png 1024w, https:\/\/blog.kodono.info\/wordpress\/wp-content\/uploads\/2023\/03\/realm-300x54.png 300w, https:\/\/blog.kodono.info\/wordpress\/wp-content\/uploads\/2023\/03\/realm-768x137.png 768w, https:\/\/blog.kodono.info\/wordpress\/wp-content\/uploads\/2023\/03\/realm.png 1286w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/a><\/li>\n<\/ul>\n<p>Example of the expected result: <\/p>\n<pre class=\"brush:javascript\">\r\n{\r\n  clientId: '28bq7e56-8c3a-487d-hbfb-ef1a74539cbe',\r\n  clientSecret: 's6LZ4VvoeKOS+MyAhklcavsyJBF4XhWo06OgY6czYJ0=',\r\n  realm: '85e5f09b-4c17-4d80-afea-260bb171c456'\r\n}\r\n<\/pre>\n<p>To get the credentials, you need to register a new addin inside SharePoint Online, by fellowing these steps:<\/p>\n<ol>\n<li>Open SharePoint Online app registration page, e.g. <code>https:\/\/contoso.sharepoint.com\/sites\/dev\/_layouts\/15\/appregnew.aspx<\/code><\/li>\n<li>Click on <b>&#8220;Generate&#8221;<\/b> for Client id and Client Secret, fill in Title, App Domain, Redirect URI (you can type in any values you want)<br \/>\n         <a href=\"https:\/\/blog.kodono.info\/wordpress\/wp-content\/uploads\/2023\/03\/online_addinonly_reg.png\"><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/blog.kodono.info\/wordpress\/wp-content\/uploads\/2023\/03\/online_addinonly_reg.png\" alt=\"\" width=\"374\" height=\"364\" class=\"aligncenter size-full wp-image-2237\" srcset=\"https:\/\/blog.kodono.info\/wordpress\/wp-content\/uploads\/2023\/03\/online_addinonly_reg.png 374w, https:\/\/blog.kodono.info\/wordpress\/wp-content\/uploads\/2023\/03\/online_addinonly_reg-300x292.png 300w\" sizes=\"auto, (max-width: 374px) 100vw, 374px\" \/><\/a><\/li>\n<li>Click on <b>&#8220;Create&#8221;<\/b> and save generated Client Id and Client Secret<\/li>\n<li><strong>[IF YOU HAVE TENANT RIGHTS]<\/strong> Now you need to apply permissions to the newly registered app. If you want to register the app once and use it for any site collection, it&#8217;s better to apply <strong>tenant scope permissions<\/strong>, so you can use the credentials everywhere inside your SharePoint tenant. To apply tenant scoped permissions, open <code>AppInv.aspx<\/code> page under SharePoint adminstration web site, e.g. <code>https:\/\/[YOUR_ORGANIZATION]-admin.sharepoint.com\/_layouts\/15\/appinv.aspx<\/code>, copy paste Client Id from step n\u00b03 into App Id field and click <b>&#8220;Lookup&#8221;<\/b>.<\/li>\n<li><strong>[IF YOU HAVE TENANT RIGHTS]<\/strong> You will see your registered app, paste in the following XML into the <b>&#8220;Permission Request XML&#8221;<\/b> field and click <b>&#8220;Create&#8221;<\/b>:\n<pre class=\"rush:xml\">\r\n    &lt;AppPermissionRequests AllowAppOnlyPolicy=\"true\">\r\n      &lt;AppPermissionRequest Scope=\"http:\/\/sharepoint\/content\/tenant\" Right=\"FullControl\" \/>\r\n    &lt;\/AppPermissionRequests>\r\n<\/pre>\n<p><a href=\"https:\/\/blog.kodono.info\/wordpress\/wp-content\/uploads\/2023\/03\/online_addinonly_permission.png\"><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/blog.kodono.info\/wordpress\/wp-content\/uploads\/2023\/03\/online_addinonly_permission.png\" alt=\"\" width=\"614\" height=\"580\" class=\"aligncenter size-full wp-image-2238\" srcset=\"https:\/\/blog.kodono.info\/wordpress\/wp-content\/uploads\/2023\/03\/online_addinonly_permission.png 614w, https:\/\/blog.kodono.info\/wordpress\/wp-content\/uploads\/2023\/03\/online_addinonly_permission-300x283.png 300w\" sizes=\"auto, (max-width: 614px) 100vw, 614px\" \/><\/a><\/li>\n<li><strong>[IF YOU ARE NOT A TENANT]<\/strong> If you only want to give permissions on 1 site collection, you can register the app on a regular site collection by using url <code>https:\/\/contoso.sharepoint.com\/sites\/dev\/_layouts\/15\/appinv.aspx<\/code>. In this case you are not able to use tenant scoped permissions and can only apply site collection permissions:\n<pre class=\"rush:xml\">\r\n    &lt;AppPermissionRequests AllowAppOnlyPolicy=\"true\">\r\n      &lt;AppPermissionRequest Scope=\"http:\/\/sharepoint\/content\/sitecollection\" Right=\"FullControl\" \/>\r\n    &lt;\/AppPermissionRequests>\r\n<\/pre>\n<li>You will see addin &#8220;Trust&#8221; confirmation, click on <b>&#8220;Trust It&#8221;<\/b>:<br \/>\n<a href=\"https:\/\/blog.kodono.info\/wordpress\/wp-content\/uploads\/2023\/03\/online_addinonly_trust.png\"><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/blog.kodono.info\/wordpress\/wp-content\/uploads\/2023\/03\/online_addinonly_trust.png\" alt=\"\" width=\"767\" height=\"322\" class=\"aligncenter size-full wp-image-2239\" srcset=\"https:\/\/blog.kodono.info\/wordpress\/wp-content\/uploads\/2023\/03\/online_addinonly_trust.png 767w, https:\/\/blog.kodono.info\/wordpress\/wp-content\/uploads\/2023\/03\/online_addinonly_trust-300x126.png 300w\" sizes=\"auto, (max-width: 767px) 100vw, 767px\" \/><\/a><br \/>\n <em>if trust-it button is not enabled and you get a red label saying tenant admin needs to trust the app, go back and try again in a few minutes.<\/em><\/li>\n<li>Now you can use client id and client secret to send authenticated http requests.<\/li>\n<\/ol>\n<p>To know more about the XML permissions, you can check the <a href=\"http:\/\/(see https:\/\/learn.microsoft.com\/en-us\/sharepoint\/dev\/sp-add-ins\/add-in-permissions-in-sharepoint)\">Microsoft documentation<\/a>.<\/p>\n<h3>Get Access Token<\/h3>\n<p>(you can find a <a href=\"https:\/\/social.technet.microsoft.com\/wiki\/contents\/articles\/51982.sharepoint-read-online-list-data-from-c-console-application-using-access-token.aspx\">C# code<\/a> as an example)<\/p>\n<p>You need to do a <b>POST<\/b> request to <code>https:\/\/accounts.accesscontrol.windows.net\/[YOUR_TENANT_REALM]\/tokens\/OAuth\/2<\/code> with a <b>&#8220;Content-Type&#8221;<\/b> header that has the value <b>&#8220;application\/x-www-form-urlencoded&#8221;<\/b>, and the body parameters that must be:<\/p>\n<ul>\n<li>&quot;grant_type&quot;:&quot;client_credentials&quot;<\/li>\n<li>&quot;client_id&quot;:&quot;[YOUR_CLIENT_ID]@[YOUR_TENANT_REALM]&quot;<\/li>\n<li>&quot;client_secret&quot;:&quot;[YOUR_CLIENT_SECRET]&quot;<\/li>\n<li>&quot;resource&quot;:&quot;00000003-0000-0ff1-ce00-000000000000\/dell.sharepoint.com@[YOUR_TENANT_REALM]&quot;<\/li>\n<\/ul>\n<p>See below an example in PHP:<\/p>\n<pre class=brush:php\">\r\n$curl = curl_init();\r\ncurl_setopt($curl, CURLOPT_URL, \"https:\/\/accounts.accesscontrol.windows.net\/[YOUR_TENANT_REALM]\/tokens\/OAuth\/2\");\r\ncurl_setopt($curl, CURLOPT_HTTPHEADER, [ \"Content-Type: application\/x-www-form-urlencoded\" ]);\r\ncurl_setopt($curl, CURLOPT_POSTFIELDS, http_build_query([\r\n  \"grant_type\" => \"client_credentials\",\r\n  \"client_id\" => \"[YOUR_CLIENT_ID]@[YOUR_TENANT_REALM]\",\r\n  \"client_secret\" => \"[YOUR_CLIENT_SECRET]\",\r\n  \"resource\" => \"00000003-0000-0ff1-ce00-000000000000\/dell.sharepoint.com@[YOUR_TENANT_REALM]\"\r\n]));\r\ncurl_setopt($curl, CURLOPT_RETURNTRANSFER, true);\r\n$response = json_decode(curl_exec($curl));\r\ncurl_close($curl);\r\n\r\necho $response->access_token;\r\n<\/pre>\n<p>The response should contain an access token. Example:<\/p>\n<pre class=\"brush:javascript\">\r\n{\r\n  \"token_type\":\"Bearer\",\r\n  \"expires_in\":\"86399\",\r\n  \"not_before\":\"1679393911\",\r\n  \"expires_on\":\"1679480611\",\r\n  \"resource\":\"00000003-0000-0ff1-ce00-000000000000\/dell.sharepoint.com@[YOUR_TENANT_REALM]\",\r\n  \"access_token\":\"eyJ0eXAiOiJKV1QiLCJhbGciOiJSU[...]SxXA5Lqbk1OcOVdwQ\"\r\n}\r\n<\/pre>\n<p>Finally, you can do your REST API request to SharePoint Online with passing the header <b>&#8220;Authorization&#8221;<\/b> that has the value <b>&#8220;Bearer [YOUR_ACCESS_TOKEN]&#8221;<\/b>.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Get `clientId` and `clientSecret` (source) You&#8217;ll need credentials: `clientId` &#8211; required string, client id obtained when registering the addin `clientSecret` &#8211; required string, client secret obtained when registering the addin `realm` &#8211; your SharePoint Online tenant id. The easiest way to find tenant is to open SharePoint Online site collection, click Site Settings &rarr; Site [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_coblocks_attr":"","_coblocks_dimensions":"","_coblocks_responsive_height":"","_coblocks_accordion_ie_support":"","hide_page_title":"","footnotes":""},"categories":[170,33],"tags":[123,158,117],"class_list":["post-2234","post","type-post","status-publish","format-standard","hentry","category-english","category-programmation","tag-english","tag-programmation","tag-sharepoint"],"_links":{"self":[{"href":"https:\/\/blog.kodono.info\/wordpress\/wp-json\/wp\/v2\/posts\/2234","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/blog.kodono.info\/wordpress\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blog.kodono.info\/wordpress\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blog.kodono.info\/wordpress\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/blog.kodono.info\/wordpress\/wp-json\/wp\/v2\/comments?post=2234"}],"version-history":[{"count":17,"href":"https:\/\/blog.kodono.info\/wordpress\/wp-json\/wp\/v2\/posts\/2234\/revisions"}],"predecessor-version":[{"id":2256,"href":"https:\/\/blog.kodono.info\/wordpress\/wp-json\/wp\/v2\/posts\/2234\/revisions\/2256"}],"wp:attachment":[{"href":"https:\/\/blog.kodono.info\/wordpress\/wp-json\/wp\/v2\/media?parent=2234"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blog.kodono.info\/wordpress\/wp-json\/wp\/v2\/categories?post=2234"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blog.kodono.info\/wordpress\/wp-json\/wp\/v2\/tags?post=2234"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}