Forum Discussion
Kolitha de Silva
Aug 20, 2016Copper Contributor
JSOM - Access Web API secured with Azure AD
Any sample code on how to access an Azure AD secured web api from JSOM? I have see the samples with ADAL and those are mostly SPA applications. I want to access this from a script embedded in a script editor web part.
- This is something that will not work as you expect. ADAL relies on that the domains SharePoint site, your web API, (ADFS, ) as well as the login.windows.net are all in the same zone (for internet explorer). This is most often not the case. Users want SharePoint domains etc to be in the intranet zone so that you get the single-sign-on experience with ADFS, Open with Explorer and other, and you do not want login.windows.net to be in the intranet zone, since that will in the end require you to have all Microsoft sites/services in the intranet zone. So, at the moment there is not way to get it to work properly. Unless you can assume all users use Chrome, they don't want SSO and they don't use Open With Explorer.
- Kiril IlievBrass Contributor
We have successfully implemented Azure AD secured Web API utilizing our own wrapper over Adal.js library. The sole purpose of the wrapper was to provide a silent login experience.
Out of the box the Azure ADAL.js would redirect you to the login page of Azure where your users login would login automatically (SSO experience) if they are already logged in SharePoint.
We are yet to find a way to create a SharePoint client context on the server using the adal token generated for the authentication. If anyone has encountered this, please share. :)
- Mudasar SyedBrass Contributor
Hi Kiril,
We have a similar requirment of securing a webapi hosted on azure webapp using Azure AD. We are facing a issue while generating the access token from ADALJs. Please can you share some sample code for this. Kiril Iliev
- Kiril IlievBrass Contributor
Hi Mudasar,
We have posted a couple of blog posts on the topic:
There are code snippets there.
- Wictor WilenSteel ContributorThis is something that will not work as you expect. ADAL relies on that the domains SharePoint site, your web API, (ADFS, ) as well as the login.windows.net are all in the same zone (for internet explorer). This is most often not the case. Users want SharePoint domains etc to be in the intranet zone so that you get the single-sign-on experience with ADFS, Open with Explorer and other, and you do not want login.windows.net to be in the intranet zone, since that will in the end require you to have all Microsoft sites/services in the intranet zone. So, at the moment there is not way to get it to work properly. Unless you can assume all users use Chrome, they don't want SSO and they don't use Open With Explorer.
- Kolitha de SilvaCopper Contributor
Thanks Wictor for the response. This is a real pain when migrating on-prem solutions which require integrations to on-prem systems. Not all wants to maintain an on-prem SharePoint server or use additional Azure paid services :)