Reputation: 1
Programmatically authenticating SharePoint on-premises with OIDC protocol
I am trying to authenticate users from an external Idp to SharePoint Subscription Edition using OIDC protocol.
I have set up the SharePoint farm as per the article:
I have obtained the token from the Idp in exchange of the code. The token has multiple parts: access_token, token_type, expires_in and id_token (which is a signed jwt that contains basic attributes about the user and it is signed using the RS256 algorithm).
After obtaining the token, how do I authenticate to SharePoint?
I tried sending a request to a protected resource with bearer token in Authentication header. Do I use access_token or the id_token in the bearer token? I have tried both and gets 401 Unauthorized.
Any idea how to authenticate?
- Tried passing access_token and id_token in authentication header
- id_token was passed as a signed jwt. Should this be sent as decoded json string
Request:
HttpClient client = new HttpClient();
client.DefaultRequestHeaders.Authorization = new AuthenticationHeaderValue("Bearer", token);
client.DefaultRequestHeaders.Add("X-FORMS_BASED_AUTH_ACCEPTED", "t");
client.DefaultRequestHeaders.Add("Accept", "application/json");
var response = client.GetAsync(SP restructed url).Result;
if (response.IsSuccessStatusCode)
{
var responseContent = response.Content;
string result = responseContent.ReadAsStringAsync().Result;
}
Response:
{StatusCode: 401, ReasonPhrase: 'Unauthorized', Version: 1.1, Content: System.Net.Http.StreamContent, Headers:
{
X-SharePointHealthScore: 0
SPRequestGuid: 25b283a1-f8c2-2089-0000-00b23df91f68
request-id: 25b283a1-f8c2-2089-0000-00b23df91f68
X-FRAME-OPTIONS: SAMEORIGIN
X-FRAME-OPTIONS: SAMEORIGIN
Content-Security-Policy: frame-ancestors 'self' teams.microsoft.com *.teams.microsoft.com *.skype.com *.teams.microsoft.us local.teams.office.com *.powerapps.com *.yammer.com *.officeapps.live.com *.office.com *.stream.azure-test.net *.microsoftstream.com *.dynamics.com *.microsoft.com onedrive.live.com *.onedrive.live.com;
Content-Security-Policy: default-src https: data: 'unsafe-inline' 'unsafe-eval'
SPRequestDuration: 430
SPIisLatency: 11
x-ms-suspended-features: features=""
X-Content-Type-Options: nosniff
X-MS-InvokeApp: 1; RequireReadOnly
Strict-Transport-Security: max-age=31536000; includeSubdomains
X-Xss-Protection: 1; mode=block
Date: Fri, 21 Feb 2025 14:42:14 GMT
Location: https://exis.gov/default.aspx
Server:
WWW-Authenticate: Bearer realm="888d6acb-3940-4a1e-92f9-9ce1b9ca8892",client_id="00000003-0000-0ff1-ce00-000000000000",trusted_issuers="00000003-0000-0ff1-ce00-000000000000@888d6acb-3940-4a1e-92f9-9ce1b9ca8892"
Content-Length: 152
Content-Type: text/html; charset=UTF-8
}}
Upvotes: 0
Views: 18
Answers (0)
Related Questions
- Authenticating sharepoint rest api with SSL cert
- SharePoint Online multi-tenant REST calls return 404 on resources that definitely exist
- SharePoint 2019 Search REST API Is Returning 401 Unauthorized - When Called from C# Using Basic Authorization Request Header
- SSO to kubernetes with mod_auth_openidc session
- Always getting 401 or 500 when authenticating users with amazon application load balancer and django oidc provider at receiving access token
- Passport JWT is always returning 401 unauthorized when using OpenID Connect ID Token
- Authenticating remote access to Sharepoint 2016 on-premises via REST API
- OneDrive/SharePoint OAuth invalid audience error