SharePoint OAuth is used to authorize the user using a token instead of credentials (username and password). The token can grant access to a specific site or list. Users can also share their data’s (document, pictures, content) with other site user without sharing their credentials.
If the SharePoint add-ins need to access the site information the add-ins should have the Client ID and Client Secret. We can generate the same using the SharePoint site or power shell and add them to the Add-ins. There can be single client id to be associated with add-ins, whereas multiple client secret is possible.
To create a client ID and client secret.
http://{sharepointsite}/_layouts/15/AppRegNew.aspx
Client ID – it Is a GUID for the SharePoint Add in.
Client Secret – it is the password for the add-ins. It is associated with the client id; it will be shown again. We need to store in secure or able to regenerate a new client secret.
Title – It is a user friendly name used to display in the add in trust screen.
Add in domain- The host of the remote server of the add in. If the https is not configured in 443, then we need to mention the port number.
Redirect URL – The end point of the remote application to send ACS authentication code.
The client secret will be expired after a year created using AppRegNew.aspx. We can update a new secret key using power shell. We can increase the duration of the client secret up to maximum of 3 years. The newly generate key takes 24 hours or straight away to update, it is better to generate new secret key before a day. If the secret key expires the add-ins will return the error “The remote server returned an error: (401) Unauthorized.”
To view the list of add ins.
https://{sharepointsite}/_layouts/15/AppPrincipals.aspx
To view the details of an add-ins or grant permission
https://{sharepointsite}/_layouts/15/Appinv.aspx
· It will not return the client secret.
Refreshing a client secret.
Prerequisites
· http://go.microsoft.com/fwlink/p/?linkid=236298 (Microsoft online power shell Module 32 bit)
· http://go.microsoft.com/fwlink/p/?linkid=236297 (Microsoft online power shell Module 64 bit)
· https://www.microsoft.com/download/details.aspx?id=39267 (Microsoft Online Services Sign-In Assistant)
Open the power shell and execute the below cmdlets.
import-module MSOnline
Connect-MsolService (provide the tenant administrator username and password)
Store the client id in a variable
$clientId="358658dc-f04b-4c37-a260-2227eb51dde1"
Generate a key with default expiration (one year).
$bytes = New-Object Byte[] 32
$rand = [System.Security.Cryptography.RandomNumberGenerator]::Create()
$rand.GetBytes($bytes)
$rand.Dispose()
$newClientSecret = [System.Convert]::ToBase64String($bytes)
New-MsolServicePrincipalCredential -AppPrincipalId $clientId -Type Symmetric -Usage Sign -Value $newClientSecret
New-MsolServicePrincipalCredential -AppPrincipalId $clientId -Type Symmetric -Usage Verify -Value $newClientSecret
New-MsolServicePrincipalCredential -AppPrincipalId $clientId -Type Password -Usage Verify -Value $newClientSecret
$newClientSecret
Generate the client secret with three years expiration.
Includinh–EndDateparameter parameter on the three calls of the New-MsolServicePrincipalCredential cmdlet
$bytes = New-Object Byte[] 32
$rand = [System.Security.Cryptography.RandomNumberGenerator]::Create()
$rand.GetBytes($bytes)
$rand.Dispose()
$newClientSecret = [System.Convert]::ToBase64String($bytes)
$dtStart = [System.DateTime]::Now
$dtEnd = $dtStart.AddYears(3)
New-MsolServicePrincipalCredential -AppPrincipalId $clientId -Type Symmetric -Usage Sign -Value $newClientSecret -StartDate $dtStart –EndDate $dtEnd
New-MsolServicePrincipalCredential -AppPrincipalId $clientId -Type Symmetric -Usage Verify -Value $newClientSecret -StartDate $dtStart –EndDate $dtEnd
New-MsolServicePrincipalCredential -AppPrincipalId $clientId -Type Password -Usage Verify -Value $newClientSecret -StartDate $dtStart –EndDate $dtEnd
$newClientSecret
Updating the new secret in app.config/web.config
<add key="ClientId" value="your client id here" />
<add key="ClientSecret" value="your new secret here" />
<add key="SecondaryClientSecret" value="your old secret here" />
Leave a comment