Forum Discussion

Rickard Nilsson's avatar
Rickard Nilsson
Copper Contributor
Feb 06, 2017

Passing username to an external rest-service from SPFx WebPart

Quite often, we need to call external services from client side code. If it is a public API and you know your way around CORS, this is easy. But how do you implement a good authentication flow?   L...
developer
Danny Foncke's avatar
Danny Foncke
Copper Contributor
Jul 27, 2017

Hi Luis, thanks for responding to this

 

The external REST API is under my control, I can configure it's authentication any way I want.
It is Node.js implemented and runs on windows server 2016


The call from the SP2013 page is via JavaScript.
I would like to keep it that way if at all possible. 
But if a farm solution, in a supporting role, is necessary to make this work, it is possible too.

In my simple world the client side js would be able to obtain a 'token', send it to the REST API and the API would be capable of verifying the token is genuine.
But I might see things too simple :) 

 

Thanks again for your feedback on this

Luis Mañez's avatar
Luis Mañez
MVP
Jul 27, 2017
I guess the most standard way here is to enable oAuth 2 with OpenID Connect support in your API. No idea about how to do that with NodeJS, but I guess is possible (quick search in google give me this library: https://github.com/agmoyano/OpenIDConnect). If your API was asp.net, then you could use IdentityServer, to configure the oAuth server for the API.

Once oAuth 2 / OpenID Connect is configured, you have to get a Bearer Token to call your API. From JavaScript is a bit complex, first because the server has to allow the Implicit flow, and second cos the libraries to deal with oAuth2 are not easy. You can take a look to Hello.JS or ADAL.JS (that's the one from MS, so I'm not sure if only works fine with Azure AD). There's another JS library from the same guys that created IdentityServer (https://github.com/IdentityModel/oidc-client-js)

If you use server side code in the "client" (SP page), then it could be a bit easier, as you can use other oAuth flows to get the Token.

It's not easy stuff, and I'm far from being an expert :)

Hope it helps.
  • Danny Foncke's avatar
    Danny Foncke
    Copper Contributor
    Jul 28, 2017

    "It's not easy stuff" ... eactly 

     

    Looked into what you wrote, and think I understand it (more or less)

     

    I think my problem remains that the user is already logged in into SharePoint (on-premise) and don't want him to have an account somewhere else (google, facebook) and/or ask him (the user) to re-submit his username/password (so that my API could verify it) .....

     

    Still some research to do .....

     

     

     

    • Luis Mañez's avatar
      Luis Mañez
      MVP
      Aug 01, 2017
      if your NodeJS API is also in your On Premises infrastructure, maybe you could do some SSO between SP and your API (this is possible with WCF services hosted on IIS using Windows Authentication, but no idea when the API is in Nodejs). Perhaps start searching by Nodejs Windows Auth + SSO + SharePoint
      Please, keep us posted if you find a solution, as is a very interesting scenario.
      Good luck!
      • Butch Marshall's avatar
        Butch Marshall
        Copper Contributor
        Apr 10, 2018

        Any update on this?  I am also looking to implement using Sharepoint authentication against an external API without having any input from the user.

         

        The closes I've found is using HttpClient to pass credentials as described https://dev.office.com/blogs/calling-external-apis-securely-from-sharepoint-framework.  I've hit a blocker unfortunately.  The Authorisation header is there - but its empty!