Passing username to an external rest-service from SPFx WebPart

%3CLINGO-SUB%20id%3D%22lingo-sub-44252%22%20slang%3D%22en-US%22%3EPassing%20username%20to%20an%20external%20rest-service%20from%20SPFx%20WebPart%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-44252%22%20slang%3D%22en-US%22%3E%3CP%3EQuite%20often%2C%20we%20need%20to%20call%20external%20services%20from%20client%20side%20code.%20If%20it%20is%20a%20public%20API%20and%20you%20know%20your%20way%20around%20CORS%2C%20this%20is%20easy.%20But%20how%20do%20you%20implement%20a%20good%20authentication%20flow%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ELet%E2%80%99s%20say%20you%20want%20to%20build%20a%20weather%20WebPart%20that%20pulls%20data%20from%20a%20WebAPI%20hosted%20in%20Azure.%20Because%20it%20is%20very%20secret%20weather%20data%2C%20the%20WebApi%20wants%20to%20know%20who%20is%20calling%20the%20service.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ETo%20do%20this%2C%20you%20need%20to%20send%20an%20access%20token%20to%20the%20WebAPI%20and%20you%20need%20an%20endpoint%20so%20that%20the%20WebAPI%20can%20verify%20this%20access%20token.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ESharePoint%20add-ins%20handle%20all%20this%20for%20you%2C%20but%20I%20can%E2%80%99t%20find%20any%20documentation%20on%20how%20to%20do%20this%20without%20leaving%20the%20page%20you%20are%20in.%20And%20it%20doesn%E2%80%99t%20look%20like%20there%20are%20any%20access%20tokens%20available%20in%20the%20SharePoint%20context.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAdvice%20much%20appreciated.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CBR%20%2F%3EPlease%20note%20that%20this%20is%20just%20a%20matter%20of%20authenticating%20the%20user%20and%20passing%20the%20username%20to%20the%20service%2C%20not%20accessing%20SharePoint%20data%20or%20services%20in%20the%20name%20of%20the%20user.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-44252%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EDeveloper%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-460015%22%20slang%3D%22en-US%22%3ERe%3A%20Passing%20username%20to%20an%20external%20rest-service%20from%20SPFx%20WebPart%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-460015%22%20slang%3D%22en-US%22%3E%3CP%3EMay%20be%20someone%20could%20help%20me%20there%20%3A%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fsocial.msdn.microsoft.com%2FForums%2Fen-US%2Fa5bb4435-ff29-447a-b5dc-86d3d75c7ca4%2Fbest-way-to-connect-external-api-with-a-webpart-for-sharepoint-online%3Fforum%3Darchitecturegeneral%23a5bb4435-ff29-447a-b5dc-86d3d75c7ca4%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fsocial.msdn.microsoft.com%2FForums%2Fen-US%2Fa5bb4435-ff29-447a-b5dc-86d3d75c7ca4%2Fbest-way-to-connect-external-api-with-a-webpart-for-sharepoint-online%3Fforum%3Darchitecturegeneral%23a5bb4435-ff29-447a-b5dc-86d3d75c7ca4%3C%2FA%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-391540%22%20slang%3D%22en-US%22%3ERe%3A%20Passing%20username%20to%20an%20external%20rest-service%20from%20SPFx%20WebPart%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-391540%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F40466%22%20target%3D%22_blank%22%3E%40Danny%20Foncke%3C%2FA%3E%26nbsp%3BYep!%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20use%20a%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fgraph%2Fauth-overview%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%22%3EMicrosoft%20Graph%20JWT%3C%2FA%3E.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20%3CA%20href%3D%22https%3A%2F%2Fjwt.io%2F%22%20target%3D%22_self%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%3Everify%20the%20JWT%3C%2FA%3E%26nbsp%3Bis%20genuine%20using%20the%20%3CA%20href%3D%22https%3A%2F%2Flogin.microsoftonline.com%2Fcommon%2Fdiscovery%2Fkeys%22%20target%3D%22_self%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%3Ekeys%20microsoft%20publishes%3C%2FA%3E%26nbsp%3Band%20thus%20can%20trust%20that%20is%20the%20logged%20in%20user.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-391487%22%20slang%3D%22en-US%22%3ERe%3A%20Passing%20username%20to%20an%20external%20rest-service%20from%20SPFx%20WebPart%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-391487%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F136703%22%20target%3D%22_blank%22%3E%40Butch%20Marshall%3C%2FA%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EHi%20butch%2C%20have%20you%20ever%20found%20an%20answer%20to%20the%20question%20(user%20already%20logged%20in%20to%20SharePoint.....)%20%3F%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-183611%22%20slang%3D%22en-US%22%3ERe%3A%20Passing%20username%20to%20an%20external%20rest-service%20from%20SPFx%20WebPart%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-183611%22%20slang%3D%22en-US%22%3ERecently%20the%20SharePoint%20spfx%20team%20has%20released%20a%20new%20Azure%20AD%20Http%20Client%20that%20helps%20to%20call%20Azure%20AD%20Secured%20APIs%20from%20spfx.%20Have%20a%20look%20here%3A%3CBR%20%2F%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fsharepoint%2Fdev%2Fspfx%2Fweb-parts%2Fguidance%2Fconnect-to-api-secured-with-aad%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fsharepoint%2Fdev%2Fspfx%2Fweb-parts%2Fguidance%2Fconnect-to-api-secured-with-aad%3C%2FA%3E%3CBR%20%2F%3E%3CA%20href%3D%22https%3A%2F%2Fwww.youtube.com%2Fwatch%3Fv%3D_9fGXZ4ocp4%26amp%3Bindex%3D3%26amp%3Bt%3D0s%26amp%3Blist%3DPLR9nK3mnD-OUnJytlXlO84fQnYt50iTmS%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fwww.youtube.com%2Fwatch%3Fv%3D_9fGXZ4ocp4%26amp%3Bindex%3D3%26amp%3Bt%3D0s%26amp%3Blist%3DPLR9nK3mnD-OUnJytlXlO84fQnYt50iTmS%3C%2FA%3E%3CBR%20%2F%3E%3CBR%20%2F%3ELuis.%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-181317%22%20slang%3D%22en-US%22%3ERe%3A%20Passing%20username%20to%20an%20external%20rest-service%20from%20SPFx%20WebPart%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-181317%22%20slang%3D%22en-US%22%3E%3CP%3EAny%20update%20on%20this%3F%26nbsp%3B%20I%20am%20also%20looking%20to%20implement%20using%20Sharepoint%20authentication%20against%20an%20external%20API%20without%20having%20any%20input%20from%20the%20user.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThe%20closes%20I've%20found%20is%20using%20HttpClient%20to%20pass%20credentials%20as%20described%20%3CA%20href%3D%22https%3A%2F%2Fdev.office.com%2Fblogs%2Fcalling-external-apis-securely-from-sharepoint-framework%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ein%20this%20tutorial%3C%2FA%3E.%26nbsp%3B%20I've%20hit%20a%20blocker%26nbsp%3Bunfortunately.%26nbsp%3B%20The%20Authorisation%20header%20is%20there%20-%20but%20its%20empty!%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-92138%22%20slang%3D%22en-US%22%3ERe%3A%20Passing%20username%20to%20an%20external%20rest-service%20from%20SPFx%20WebPart%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-92138%22%20slang%3D%22en-US%22%3Eif%20your%20NodeJS%20API%20is%20also%20in%20your%20On%20Premises%20infrastructure%2C%20maybe%20you%20could%20do%20some%20SSO%20between%20SP%20and%20your%20API%20(this%20is%20possible%20with%20WCF%20services%20hosted%20on%20IIS%20using%20Windows%20Authentication%2C%20but%20no%20idea%20when%20the%20API%20is%20in%20Nodejs).%20Perhaps%20start%20searching%20by%20Nodejs%20Windows%20Auth%20%2B%20SSO%20%2B%20SharePoint%3CBR%20%2F%3EPlease%2C%20keep%20us%20posted%20if%20you%20find%20a%20solution%2C%20as%20is%20a%20very%20interesting%20scenario.%3CBR%20%2F%3EGood%20luck!%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-91195%22%20slang%3D%22en-US%22%3ERe%3A%20Passing%20username%20to%20an%20external%20rest-service%20from%20SPFx%20WebPart%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-91195%22%20slang%3D%22en-US%22%3E%3CP%3E%22It's%20not%20easy%20stuff%22%20...%20eactly%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ELooked%20into%20what%20you%20wrote%2C%20and%20think%20I%20understand%20it%20(more%20or%20less)%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20think%20my%20problem%20remains%20that%20the%20user%20is%20already%20logged%20in%20into%20SharePoint%20(on-premise)%20and%26nbsp%3Bdon't%20want%20him%20to%20have%20an%20account%20somewhere%20else%20(google%2C%20facebook)%20and%2For%20ask%20him%20(the%20user)%20to%20re-submit%20his%20username%2Fpassword%20(so%20that%20my%20API%20could%20verify%20it)%20.....%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EStill%20some%20research%20to%20do%20.....%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-90734%22%20slang%3D%22en-US%22%3ERe%3A%20Passing%20username%20to%20an%20external%20rest-service%20from%20SPFx%20WebPart%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-90734%22%20slang%3D%22en-US%22%3EI%20guess%20the%20most%20standard%20way%20here%20is%20to%20enable%20oAuth%202%20with%20OpenID%20Connect%20support%20in%20your%20API.%20No%20idea%20about%20how%20to%20do%20that%20with%20NodeJS%2C%20but%20I%20guess%20is%20possible%20(quick%20search%20in%20google%20give%20me%20this%20library%3A%20%3CA%20href%3D%22https%3A%2F%2Fgithub.com%2Fagmoyano%2FOpenIDConnect%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fgithub.com%2Fagmoyano%2FOpenIDConnect%3C%2FA%3E).%20If%20your%20API%20was%20asp.net%2C%20then%20you%20could%20use%20IdentityServer%2C%20to%20configure%20the%20oAuth%20server%20for%20the%20API.%3CBR%20%2F%3E%3CBR%20%2F%3EOnce%20oAuth%202%20%2F%20OpenID%20Connect%20is%20configured%2C%20you%20have%20to%20get%20a%20Bearer%20Token%20to%20call%20your%20API.%20From%20JavaScript%20is%20a%20bit%20complex%2C%20first%20because%20the%20server%20has%20to%20allow%20the%20Implicit%20flow%2C%20and%20second%20cos%20the%20libraries%20to%20deal%20with%20oAuth2%20are%20not%20easy.%20You%20can%20take%20a%20look%20to%20Hello.JS%20or%20ADAL.JS%20(that's%20the%20one%20from%20MS%2C%20so%20I'm%20not%20sure%20if%20only%20works%20fine%20with%20Azure%20AD).%20There's%20another%20JS%20library%20from%20the%20same%20guys%20that%20created%20IdentityServer%20(%3CA%20href%3D%22https%3A%2F%2Fgithub.com%2FIdentityModel%2Foidc-client-js%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fgithub.com%2FIdentityModel%2Foidc-client-js%3C%2FA%3E)%3CBR%20%2F%3E%3CBR%20%2F%3EIf%20you%20use%20server%20side%20code%20in%20the%20%22client%22%20(SP%20page)%2C%20then%20it%20could%20be%20a%20bit%20easier%2C%20as%20you%20can%20use%20other%20oAuth%20flows%20to%20get%20the%20Token.%3CBR%20%2F%3E%3CBR%20%2F%3EIt's%20not%20easy%20stuff%2C%20and%20I'm%20far%20from%20being%20an%20expert%20%3A)%3C%2Fimg%3E%3CBR%20%2F%3E%3CBR%20%2F%3EHope%20it%20helps.%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-90729%22%20slang%3D%22en-US%22%3ERe%3A%20Passing%20username%20to%20an%20external%20rest-service%20from%20SPFx%20WebPart%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-90729%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20Luis%2C%20thanks%20for%20responding%20to%20this%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThe%20external%20REST%20API%20is%20under%20my%20control%2C%20I%20can%20configure%20it's%20authentication%20any%20way%20I%20want.%3CBR%20%2F%3EIt%20is%20Node.js%20implemented%20and%20runs%20on%20windows%20server%202016%3C%2FP%3E%3CP%3E%3CBR%20%2F%3EThe%20call%20from%20the%20SP2013%20page%20is%20via%20JavaScript.%3CBR%20%2F%3EI%20would%20like%20to%20keep%20it%20that%20way%20if%20at%20all%20possible.%26nbsp%3B%3CBR%20%2F%3EBut%20if%20a%20farm%20solution%2C%20in%20a%20supporting%20role%2C%20is%20necessary%20to%20make%20this%20work%2C%20it%20is%20possible%20too.%3CBR%20%2F%3E%3CBR%20%2F%3E%3C%2FP%3E%3CP%3EIn%20my%20simple%20world%20the%20client%20side%20js%20would%20be%20able%20to%20obtain%20a%20'token'%2C%20send%20it%20to%20the%20REST%20API%20and%20the%20API%20would%20be%20capable%20of%20verifying%20the%20token%20is%20genuine.%3CBR%20%2F%3EBut%20I%20might%20see%20things%20too%20simple%20%3A)%3C%2Fimg%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks%20again%20for%20your%20feedback%20on%20this%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-90725%22%20slang%3D%22en-US%22%3ERe%3A%20Passing%20username%20to%20an%20external%20rest-service%20from%20SPFx%20WebPart%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-90725%22%20slang%3D%22en-US%22%3EIt%20depends%20on%20How%20the%20external%20rest%20API%20authentication%20is%20configured%2C%20and%20also%20depends%20if%20the%20call%20inside%20an%20SP%202013%20page%20is%20using%20server%20side%20code%20(custom%20webpart%2Fpage%20using%20Farm%20solutions)%2C%20or%20just%20JavaScript.%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-90715%22%20slang%3D%22en-US%22%3ERe%3A%20Passing%20username%20to%20an%20external%20rest-service%20from%20SPFx%20WebPart%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-90715%22%20slang%3D%22en-US%22%3E%3CP%3EAny%20pointers%20to%20solve%20this%20when%20Azure%20is%20not%20in%20the%20picture%20%3F%3CBR%20%2F%3E%3CBR%20%2F%3EA%20user%20on%20a%20SharePoint%202013%20on%20premise%20page%20calls%20an%20external%20%26nbsp%3BREST%20api.%20How%20can%20the%20REST%20api%20authenticate%20the%20caller%20or%20verify%20that%20proof%20of%20identify%20is%20the%20resquest%20(token%20%3F)%20is%20genuine%20%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EBon%2C%20I%20just%20realized%20I'm%20in%20an%20spfx%20thread%20%3A(%3C%2Fimg%3E%20So%20not%20the%20best%20place%20to%20put%20this%20question.%26nbsp%3B%3CBR%20%2F%3E%3CBR%20%2F%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-44548%22%20slang%3D%22en-US%22%3ERe%3A%20Passing%20username%20to%20an%20external%20rest-service%20from%20SPFx%20WebPart%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-44548%22%20slang%3D%22en-US%22%3E%3CP%3EHi%2C%3C%2FP%3E%3CP%3EI%20am%20sorry%20that%20I%20missed%20this%20one.%20I%20will%20try%20it%20out%20and%20document%20the%20result%20here.%26nbsp%3B%3C%2FP%3E%3CP%3ECheers%2C%3C%2FP%3E%3CP%3ERickard%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-44495%22%20slang%3D%22en-US%22%3ERe%3A%20Passing%20username%20to%20an%20external%20rest-service%20from%20SPFx%20WebPart%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-44495%22%20slang%3D%22en-US%22%3EHi%2C%3CBR%20%2F%3EIs%20this%20sample%20not%20covering%20your%20scenario%3F%3CBR%20%2F%3ECall%20custom%20Web%20API%20secured%20with%20AAD%20from%20SharePoint%20Framework%20client-side%20web%20part%3CBR%20%2F%3E%3CA%20href%3D%22https%3A%2F%2Fgithub.com%2FSharePoint%2Fsp-dev-fx-webparts%2Ftree%2Fmaster%2Fsamples%2Freact-aad-webapi%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fgithub.com%2FSharePoint%2Fsp-dev-fx-webparts%2Ftree%2Fmaster%2Fsamples%2Freact-aad-webapi%3C%2FA%3E%3CBR%20%2F%3E%3CBR%20%2F%3EBasically%2C%20you%20need%20to%20secure%20your%20custom%20web%20api%20using%20Azure%20AD%2C%20and%20then%2C%20from%20client%20side%2C%20you%20can%20use%20ADAL.js%20to%20get%20the%20Access%20token%20and%20call%20the%20API.%3CBR%20%2F%3E%3CBR%20%2F%3ELet%20us%20know%20if%20it%20helps.%3C%2FLINGO-BODY%3E
New Contributor

Quite often, we need to call external services from client side code. If it is a public API and you know your way around CORS, this is easy. But how do you implement a good authentication flow?

 

Let’s say you want to build a weather WebPart that pulls data from a WebAPI hosted in Azure. Because it is very secret weather data, the WebApi wants to know who is calling the service.

 

To do this, you need to send an access token to the WebAPI and you need an endpoint so that the WebAPI can verify this access token.

 

SharePoint add-ins handle all this for you, but I can’t find any documentation on how to do this without leaving the page you are in. And it doesn’t look like there are any access tokens available in the SharePoint context.

 

Advice much appreciated.

 


Please note that this is just a matter of authenticating the user and passing the username to the service, not accessing SharePoint data or services in the name of the user.

 

13 Replies
Hi,
Is this sample not covering your scenario?
Call custom Web API secured with AAD from SharePoint Framework client-side web part
https://github.com/SharePoint/sp-dev-fx-webparts/tree/master/samples/react-aad-webapi

Basically, you need to secure your custom web api using Azure AD, and then, from client side, you can use ADAL.js to get the Access token and call the API.

Let us know if it helps.

Hi,

I am sorry that I missed this one. I will try it out and document the result here. 

Cheers,

Rickard

 

Any pointers to solve this when Azure is not in the picture ?

A user on a SharePoint 2013 on premise page calls an external  REST api. How can the REST api authenticate the caller or verify that proof of identify is the resquest (token ?) is genuine ?

 

Bon, I just realized I'm in an spfx thread :( So not the best place to put this question. 

It depends on How the external rest API authentication is configured, and also depends if the call inside an SP 2013 page is using server side code (custom webpart/page using Farm solutions), or just JavaScript.

Hi Luis, thanks for responding to this

 

The external REST API is under my control, I can configure it's authentication any way I want.
It is Node.js implemented and runs on windows server 2016


The call from the SP2013 page is via JavaScript.
I would like to keep it that way if at all possible. 
But if a farm solution, in a supporting role, is necessary to make this work, it is possible too.

In my simple world the client side js would be able to obtain a 'token', send it to the REST API and the API would be capable of verifying the token is genuine.
But I might see things too simple :) 

 

Thanks again for your feedback on this

I guess the most standard way here is to enable oAuth 2 with OpenID Connect support in your API. No idea about how to do that with NodeJS, but I guess is possible (quick search in google give me this library: https://github.com/agmoyano/OpenIDConnect). If your API was asp.net, then you could use IdentityServer, to configure the oAuth server for the API.

Once oAuth 2 / OpenID Connect is configured, you have to get a Bearer Token to call your API. From JavaScript is a bit complex, first because the server has to allow the Implicit flow, and second cos the libraries to deal with oAuth2 are not easy. You can take a look to Hello.JS or ADAL.JS (that's the one from MS, so I'm not sure if only works fine with Azure AD). There's another JS library from the same guys that created IdentityServer (https://github.com/IdentityModel/oidc-client-js)

If you use server side code in the "client" (SP page), then it could be a bit easier, as you can use other oAuth flows to get the Token.

It's not easy stuff, and I'm far from being an expert :)

Hope it helps.

"It's not easy stuff" ... eactly 

 

Looked into what you wrote, and think I understand it (more or less)

 

I think my problem remains that the user is already logged in into SharePoint (on-premise) and don't want him to have an account somewhere else (google, facebook) and/or ask him (the user) to re-submit his username/password (so that my API could verify it) .....

 

Still some research to do .....

 

 

 

if your NodeJS API is also in your On Premises infrastructure, maybe you could do some SSO between SP and your API (this is possible with WCF services hosted on IIS using Windows Authentication, but no idea when the API is in Nodejs). Perhaps start searching by Nodejs Windows Auth + SSO + SharePoint
Please, keep us posted if you find a solution, as is a very interesting scenario.
Good luck!

Any update on this?  I am also looking to implement using Sharepoint authentication against an external API without having any input from the user.

 

The closes I've found is using HttpClient to pass credentials as described in this tutorial.  I've hit a blocker unfortunately.  The Authorisation header is there - but its empty!

@Butch Marshall

 

Hi butch, have you ever found an answer to the question (user already logged in to SharePoint.....) ? 

 

 

@Danny Foncke Yep!

 

I use a Microsoft Graph JWT.

 

I verify the JWT is genuine using the keys microsoft publishes and thus can trust that is the logged in user.