Pnpjs: Unable to execute search/Access list in external web app '_api/contextinfo' 401 error

Created on 7 Feb 2019 · 2Comments · Source: pnp/pnpjs

Thank you for reporting an issue, suggesting an enhancement, or asking a question. We appreciate your feedback - to help the team understand your
needs please complete the below template to ensure we have the details to help. Thanks!

Please check out the Docs to see if your question is already addressed there. This will help us ensure our documentation covers the most frequent questions.

Version

Please specify what version of the library you are using: [1.28 ]

Please specify what version(s) of SharePoint you are targeting: [online]

If you are not using the latest release, please update and see if the issue is resolved before submitting an issue.

Expected / Desired Behavior / Question

issue a search via sp.search(srch) and get results.

Observed Behavior

I am working in an external app, registered in Azure, passing bearer tokens to access Sharepoint.
I can successfully receive tokens, (My graph token is working fine), however something happens to the SharePoint calls when I try to search or access a list.
For instance, the Search query is never POSTed, the preflight OPTIONS to _api/contextInfo succeeds, but retrieving the formdigest fails with a 401 error:
{"error_description":"The server was unable to process the request due to an internal error. For more information about the error, either turn on IncludeExceptionDetailInFaults (either from ServiceBehaviorAttribute or from the configuration behavior) on the server in order to send the exception information back to the client, or turn on tracing as per the Microsoft .NET Framework SDK documentation and inspect the server trace logs."}
When I try an sp.web.lists.getbyTitle(''), I get a 403 error.
The Web app requires user authentication so I am logged in, and I can see the token being passed via fiddler. Any suggestions?

Steps to Reproduce

Register an app in Azure, give it all the delegated SharePoint permissons, point it a web app.
pass the bearer token to
sp.setup({
sp: {
fetchClientFactory: () => {

                return new BearerTokenFetchClient("user access token");
            },
             baseUrl: "{mysharepointDomai}"
        }
    });

Thank you for your feedback!

code details needed question

Source

pljfdi

Most helpful comment

Couple things maybe happening. If this is an app only token, see point 2.

I think here you can use a different approach and get the result you want provided this token has the correct permissions and is setup as described in 2.

sp.setup({
    sp: {
        headers: {
            "Authorization": `Bearer ${token}`,
        },
    },
});

Did you follow the steps here to properly register your application in AzureAD for app only with a certificate? Highly recommend the older way of registering your app for SharePoint access for app only. OR transition to one of the app + user token combinations to allow the AAD tokens to work as you expect.

https://docs.microsoft.com/en-us/sharepoint/dev/solution-guidance/security-apponly-azuread

also

https://blogs.msdn.microsoft.com/richard_dizeregas_blog/2015/05/03/performing-app-only-operations-on-sharepoint-online-through-azure-ad/

Edit: I should also add that for search specifically you always need a user context, so an app + user token for those calls.

patrick-rodgers on 7 Feb 2019

👍2

All 2 comments

Couple things maybe happening. If this is an app only token, see point 2.

I think here you can use a different approach and get the result you want provided this token has the correct permissions and is setup as described in 2.

sp.setup({
    sp: {
        headers: {
            "Authorization": `Bearer ${token}`,
        },
    },
});

Did you follow the steps here to properly register your application in AzureAD for app only with a certificate? Highly recommend the older way of registering your app for SharePoint access for app only. OR transition to one of the app + user token combinations to allow the AAD tokens to work as you expect.

https://docs.microsoft.com/en-us/sharepoint/dev/solution-guidance/security-apponly-azuread

also

https://blogs.msdn.microsoft.com/richard_dizeregas_blog/2015/05/03/performing-app-only-operations-on-sharepoint-online-through-azure-ad/

Edit: I should also add that for search specifically you always need a user context, so an app + user token for those calls.

patrick-rodgers on 7 Feb 2019

👍2

Thanks for the pointers Patrick.
I think this is actually an configuration of ADAL issue.
The Azure App and registration were all fine, getting the authorisation Token, getting the first access token worked okay. Getting the Graph token, all good.
However, when I request a new https://resource.sharepoint.com token through ADAL, and the AcquireTokenSilentlyAsync method failed, the second call to AcquireTokenAsync was successful. Except this token could not be ratified against Sharepoint successfully.
Once I fixed my error (TokenCache was not being persisted correctly), I was able to get a working token again.

         try
            {
                authResult = await authContext.AcquireTokenSilentAsync(resourceId, clientCred, userIdent);
            }
            catch (AdalException ex)
            {
                _logger.LogInformation("Silent token acquire failed - full request.");
                _logger.LogError(ex, ex.Message);
// BAD CODE FOR SHAREPOINT ONLINE (BUT LEGITIMATE TOKEN)
                authResult = await authContext.AcquireTokenAsync(resourceId, clientCred);
            }

It gave a (seemingly) valid token, but would fail the conteextInfo check. I haven't checked to see what the difference actually is, but I do need to figure out what I can do to mitigate. The graph token worked regardless.
Thanks for the assist

pljfdi on 8 Feb 2019

Was this page helpful?

0 / 5 - 0 ratings