Sp-dev-docs: SharePoint Redirect URI Needed?
Given that web parts are granted authorization via OAuth Implicit flow, what exactly is the mechanism that establishes the trust relationship between the Azure AD secured Web API and SharePoint? Specifically, what configures the Web API's app registration to accept [my-tenant].sharepoint.com/etc/etc as a valid redirect URI? Is this done automatically when a SharePoint admin grants permission to the API, or are there other steps to be taken to establish the trust relationship?
Document Details
⚠Do not edit this section. It is required for docs.microsoft.com ➟ GitHub issue linking.
- ID: 47b09a1d-5520-82e2-64f5-7aaae817720a
- Version Independent ID: 0e3dcdc4-3a49-b4c7-f525-1c618cf5e21e
- Content: Connect to Azure AD-secured APIs in SharePoint Framework solutions
- Content Source: docs/spfx/use-aadhttpclient.md
- Product: sharepoint
- Technology: sharepoint-framework
- GitHub Login: @spdevdocs
- Microsoft Alias: spdevdocs
byronwjones
All 3 comments
Thank you for reporting this issue. We will be triaging your incoming issue as soon as possible.
msft-github-bot
on 30 Jan 2020
@byronwjones said:
what exactly is the mechanism that establishes the trust relationship between the Azure AD secured Web API and SharePoint
Every SPO tenant has an Azure AD app that's created in your tenant the first time you grant a permission to SPO to the Azure AD app that protects your HTTPS endpoint. Both apps are in Azure AD so they share trust with Azure AD. When you grant SPO the permission to your HTTPS endpoint, you're effectively giving SPO permission to call it. SPFx is obtaining an access token from AAD for SPO. SPO then hands that token to your SPFx component which it uses to directly call your HTTPS endpoint. The first picture in the first section of this article shows how it works.
@byronwjones said:
Specifically, what configures the Web API's app registration to accept [my-tenant].sharepoint.com/etc/etc as a valid redirect URI?
The redirect URI is only used when you are authenticating with Azure AD... IOW: when you're logging in. There is no login with SPFx... you're already logged into SharePoint Online.
andrewconnell
on 31 Jan 2020
Closing this issue as "answered". If you encounter a similar issue(s), please open up a new issue. See our wiki for more details: Issue-List: Our approach to closed issues
msft-github-bot
on 3 Feb 2020
Related issues
nanddeepn
·
3Comments
thechriskent
·
3Comments
jonthenerd
·
3Comments
karishmaTCS
·
3Comments
bengtmoss
·
3Comments
Most helpful comment
@byronwjones said:
Every SPO tenant has an Azure AD app that's created in your tenant the first time you grant a permission to SPO to the Azure AD app that protects your HTTPS endpoint. Both apps are in Azure AD so they share trust with Azure AD. When you grant SPO the permission to your HTTPS endpoint, you're effectively giving SPO permission to call it. SPFx is obtaining an access token from AAD for SPO. SPO then hands that token to your SPFx component which it uses to directly call your HTTPS endpoint. The first picture in the first section of this article shows how it works.
@byronwjones said:
The redirect URI is only used when you are authenticating with Azure AD... IOW: when you're logging in. There is no login with SPFx... you're already logged into SharePoint Online.