Forum Discussion

Rickard Nilsson's avatar
Rickard Nilsson
Copper Contributor
Feb 06, 2017

Passing username to an external rest-service from SPFx WebPart

Quite often, we need to call external services from client side code. If it is a public API and you know your way around CORS, this is easy. But how do you implement a good authentication flow?   L...
developer
Rickard Nilsson's avatar
Rickard Nilsson
Copper Contributor
Feb 07, 2017

Hi,

I am sorry that I missed this one. I will try it out and document the result here. 

Cheers,

Rickard

 

Danny Foncke's avatar
Danny Foncke
Copper Contributor
Jul 26, 2017

Any pointers to solve this when Azure is not in the picture ?

A user on a SharePoint 2013 on premise page calls an external  REST api. How can the REST api authenticate the caller or verify that proof of identify is the resquest (token ?) is genuine ?

 

Bon, I just realized I'm in an spfx thread :( So not the best place to put this question. 

  • Luis Mañez's avatar
    Luis Mañez
    MVP
    Jul 27, 2017
    It depends on How the external rest API authentication is configured, and also depends if the call inside an SP 2013 page is using server side code (custom webpart/page using Farm solutions), or just JavaScript.
    • Danny Foncke's avatar
      Danny Foncke
      Copper Contributor
      Jul 27, 2017

      Hi Luis, thanks for responding to this

       

      The external REST API is under my control, I can configure it's authentication any way I want.
      It is Node.js implemented and runs on windows server 2016


      The call from the SP2013 page is via JavaScript.
      I would like to keep it that way if at all possible. 
      But if a farm solution, in a supporting role, is necessary to make this work, it is possible too.

      In my simple world the client side js would be able to obtain a 'token', send it to the REST API and the API would be capable of verifying the token is genuine.
      But I might see things too simple :) 

       

      Thanks again for your feedback on this

      • Luis Mañez's avatar
        Luis Mañez
        MVP
        Jul 27, 2017
        I guess the most standard way here is to enable oAuth 2 with OpenID Connect support in your API. No idea about how to do that with NodeJS, but I guess is possible (quick search in google give me this library: https://github.com/agmoyano/OpenIDConnect). If your API was asp.net, then you could use IdentityServer, to configure the oAuth server for the API.

        Once oAuth 2 / OpenID Connect is configured, you have to get a Bearer Token to call your API. From JavaScript is a bit complex, first because the server has to allow the Implicit flow, and second cos the libraries to deal with oAuth2 are not easy. You can take a look to Hello.JS or ADAL.JS (that's the one from MS, so I'm not sure if only works fine with Azure AD). There's another JS library from the same guys that created IdentityServer (https://github.com/IdentityModel/oidc-client-js)

        If you use server side code in the "client" (SP page), then it could be a bit easier, as you can use other oAuth flows to get the Token.

        It's not easy stuff, and I'm far from being an expert :)

        Hope it helps.