Home > Enterprise >  Authentication with sp-rest-proxy / node-sp-auth
Authentication with sp-rest-proxy / node-sp-auth

Time:10-16

I am getting 403 errors with sp-rest-proxy. I was originally using the “User Credentials” strategy which allowed me to GET data, but not POST it. So now I’m am trying the “Addin only permissions”. My I.T. team was able get the app registered for me. but I am still receiving the below error now even with GET.

Error Details:

{
  "readyState": 4,
  "responseText": "{\"error\":{\"code\":\"-2147024891, System.UnauthorizedAccessException\",\"message\":{\"lang\":\"en-US\",\"value\":\"Access is denied. (Exception from HRESULT: 0x80070005 (E_ACCESSDENIED))\"}}}",
  "responseJSON": {
    "error": {
      "code": "-2147024891, System.UnauthorizedAccessException",
      "message": {
        "lang": "en-US",
        "value": "Access is denied. (Exception from HRESULT: 0x80070005 (E_ACCESSDENIED))"
      }
    }
  },
  "status": 403,
  "statusText": "Forbidden"
}

Things I suspect I messed up on:

  1. I strongly think its my server/private config I have the following…
const RestProxy = require('sp-rest-proxy');

const settings = {
 configPath: './config/private.json',
 port: 8081,
};

const restProxy = new RestProxy(settings);
restProxy.serve();

and private (not the actual values I am using expect for "strategy" )

{
  "siteUrl": "https://ORGANIZTION.sharepoint.com",
  "strategy": "OnlineAddinOnly",
  "clientId": "0000000-000000-000000-0000-00000000",
  "clientSecret": "000000000000000000000000000000",
  "realm": "00000-0000-0000-0000-000000"
}

I couldn’t find much on the “strategy” value on the sp-rest-proxy or the node-sp-auth side of the documentation. I can assume its OnlineAddinOnly but I’m not able to find the specific syntax for what possible values this attribute expects. I also noticed that the “clientSecret” is changing once I run the server, I assume this is an intentional encryption.

  1. During the App registration phase (step 5 of this https://github.com/s-KaiNet/node-sp-auth/wiki/SharePoint Online addin only authentication) I had the IT folk set the “right” attribute in AppPermissionRequests to “Write” instead “FullControl”, I noticed that “FullControl” seems to be used in most example though I wasn’t sure if it was required. Can anyone confirm that?
    [Edit: confirmed this is not the issue by setting this to FullControl]

Intention:

I am trying to build an internal data management tool that only needs to work on localhost to get manipulate and replace json files in my teams SharePoint. (just in a nice way so that non-coders can do this). The “sp-rest-proxy” library seems to be what I need to implement the REST API effectively in react.

CodePudding user response:

As far as I know, SharePoint app-only access is disabled by default. You need to ask your administrator to enable it by running the following command:

set-spotenant -DisableCustomAppAuthentication $false

CodePudding user response:

The answer likely in the XML AppPermissionRequests. The creator of the library was able to point me to a better example and I had noticed some differences we had a different scope value and no AllowAppOnlyPolicy adding these seems to have fixed most of the issue. I am able to confirm that I can now do GET.

I am still having issues with GetFolderByServerRelativeUrl and using the to add/replace files but I am not sure that is related and will treat it as a separate issue as it may not be related to sp-rest-proxy or node-sp-auth

the correct AppPermissionRequests XML should be this -> and as @Michael Han_MSFT mentioned you should ensure that DisableCustomAppAuthentication is set to false

<AppPermissionRequests AllowAppOnlyPolicy="true">
  <AppPermissionRequest Scope="http://sharepoint/content/tenant" Right="FullControl" />
</AppPermissionRequests>
  • Related