Reputation: 33
Obtain SharePoint specific access token for a non-user application
I am working on a PHP web app that needs to make HTTP requests to the Sharepoint API with Sites.Selected permission to a specific SharePoint site. It is NOT viable for me to provide a user sign-in experience so I need to treat it as a non-user/daemon application.
I've read the docs and looked at many different forums for the solution but as of yet I've been unsuccessfull in obtaining a SPO specific access token, although I think I'm close.
I am using this StackOverflow answer as a guide: https://stackoverflow.com/a/63386756/19038862
This is what I've done:
- Registered an Azure App: (Image of my Azure App Overview)
- Created a client secret in the App dashboard: (Image of the client secret page)
- Successfully sent a request to
https://login.microsoftonline.com/{{app_tenant_id}}/oauth2/v2.0/tokenusing the client secret in Postman: (Image of Postman request)
The request made in step 3 returns an access token (I assume a MS Graph access token?), but it DOES NOT return a refresh token, which is what the afforementioned StackOverflow answer suggests you need to "swap" for an SPO specific access token.
How do I obtain this refresh token so that I can swap it for a SPO access token? Or what better way is there to get my hands on a SPO specific access token from a non-user app?
Upvotes: 3
Views: 5589
Answers (3)
Reputation: 1060
I wrote this gist to guide you into getting Sites.Selected access to the desired site: https://gist.github.com/ruanswanepoel/14fd1c97972cabf9ca3d6c0d9c5fc542
This guide shows you how to configure this as Application permissions, and via the Graph API.
I've found going through the Graph API is the best way to go.
Also strangely it's not possible to get delegated Sites.Selected permissions. You must set it up as an Application permission.
Upvotes: 3
Reputation: 9539
First, the daemon-based client credential flow does not return a refresh token for you. You also can't redeem the refresh token of the graph API for an access token for SPO, which are two completely different API resources.
To get an access token for SPO you just need to set scope to: https://{tenant-name}.sharepoint.com/.default.
Upvotes: 0
Reputation: 427
In the guide is described that you have to get a delegated auth token from graph but you are getting an application auth token. The token response of this flow does not contain a refresh_token. See here.
But you already wrote that you are not able to provide a user sign-in experience. One workaround would be to once manually get the access_token and refresh_token of a user with the delegated flow and then periodically get a new access_token with the refresh_token on your server. You could store these values in your database and update them when you fetch a new one.
Upvotes: 1
Related Questions
- SharePoint Rest API how to get Access Token?
- How to get the access_token for Facebook with no application
- Get an access token to Sharepoint and GraphAPI
- Sharepoint Authorization token use in REST api
- How to get access token without sign-up or sign-in to web app?
- Access Microsoft Graph resources with an App access token (no user sign-in)
- Where to get ACCESS_TOKEN from?
- Microsoft Graph API - which grant type to use to get the AccessToken directly without any user intervention
- retrieve token other than with a web app
- access_token without an app