SharePoint OAuth using Client ID and Secret


Krishna KV
Team Leader, Aspire Systems
Published On :   21 Aug 2016
Visit Count
Today :  10    Total :   7143



SharePoint OAuth is used to authorize the user using a token instead of credentials (username and password). The token can grant access to a specific site or list. Users can also share their data’s (document, pictures, content) with other site user without sharing their credentials.

If the SharePoint add-ins need to access the site information the add-ins should have the Client ID and Client Secret. We can generate the same using the SharePoint site or power shell and add them to the Add-ins. There can be single client id to be associated with add-ins, whereas multiple client secret is possible.

To create a client ID and client secret.

http://{sharepointsite}/_layouts/15/AppRegNew.aspx

Client ID – it Is a GUID for the SharePoint Add in.

Client Secret – it is the password for the add-ins. It is associated with the client id; it will be shown again. We need to store in secure or able to regenerate a new client secret.

Title – It is a user friendly name used to display in the add in trust screen.

Add in domain- The host of the remote server of the add in. If the https is not configured in 443, then we need to mention the port number.

Redirect URL – The end point of the remote application to send ACS authentication code.

The client secret will be expired after a year created using AppRegNew.aspx. We can update a new secret key using power shell. We can increase the duration of the client secret up to maximum of 3 years. The newly generate key takes 24 hours or straight away to update, it is better to generate new secret key before a day. If the secret key expires the add-ins will return the error “The remote server returned an error: (401) Unauthorized.”

To view the list of add ins.

https://{sharepointsite}/_layouts/15/AppPrincipals.aspx

To view the details of an add-ins or grant permission

https://{sharepointsite}/_layouts/15/Appinv.aspx

· It will not return the client secret.

Refreshing a client secret.

Prerequisites

· http://go.microsoft.com/fwlink/p/?linkid=236298 (Microsoft online power shell Module 32 bit)

· http://go.microsoft.com/fwlink/p/?linkid=236297 (Microsoft online power shell Module 64 bit)

· https://www.microsoft.com/download/details.aspx?id=39267 (Microsoft Online Services Sign-In Assistant)

Open the power shell and execute the below cmdlets.

 import-module MSOnline
 Connect-MsolService (provide the tenant administrator username and password)
 Store the client id in a variable
 $clientId="358658dc-f04b-4c37-a260-2227eb51dde1"
 
 Generate a key with default expiration (one year). 
 $bytes = New-Object Byte[] 32
 $rand = [System.Security.Cryptography.RandomNumberGenerator]::Create()
 $rand.GetBytes($bytes)
 $rand.Dispose()
 $newClientSecret = [System.Convert]::ToBase64String($bytes)
 New-MsolServicePrincipalCredential -AppPrincipalId $clientId -Type Symmetric -Usage Sign -Value $newClientSecret
 New-MsolServicePrincipalCredential -AppPrincipalId $clientId -Type Symmetric -Usage Verify -Value $newClientSecret
 New-MsolServicePrincipalCredential -AppPrincipalId $clientId -Type Password -Usage Verify -Value $newClientSecret
 $newClientSecret
 
 Generate the client secret with three years expiration. 
 	Includinh–EndDateparameter parameter on the three calls of the New-MsolServicePrincipalCredential cmdlet
 $bytes = New-Object Byte[] 32
 $rand = [System.Security.Cryptography.RandomNumberGenerator]::Create()
 $rand.GetBytes($bytes)
 $rand.Dispose()
 $newClientSecret = [System.Convert]::ToBase64String($bytes)
 $dtStart = [System.DateTime]::Now
 $dtEnd = $dtStart.AddYears(3)
 New-MsolServicePrincipalCredential -AppPrincipalId $clientId -Type Symmetric -Usage Sign -Value $newClientSecret -StartDate $dtStart  –EndDate $dtEnd
 New-MsolServicePrincipalCredential -AppPrincipalId $clientId -Type Symmetric -Usage Verify -Value $newClientSecret   -StartDate $dtStart  –EndDate $dtEnd
 New-MsolServicePrincipalCredential -AppPrincipalId $clientId -Type Password -Usage Verify -Value $newClientSecret   -StartDate $dtStart  –EndDate $dtEnd
 $newClientSecret

Updating the new secret in app.config/web.config

  <add key="ClientId" value="your client id here" />
  <add key="ClientSecret" value="your new secret here" />
  <add key="SecondaryClientSecret" value="your old secret here" />
Categories