Feb 06 2017 09:05 AM
Quite often, we need to call external services from client side code. If it is a public API and you know your way around CORS, this is easy. But how do you implement a good authentication flow?
Let’s say you want to build a weather WebPart that pulls data from a WebAPI hosted in Azure. Because it is very secret weather data, the WebApi wants to know who is calling the service.
To do this, you need to send an access token to the WebAPI and you need an endpoint so that the WebAPI can verify this access token.
SharePoint add-ins handle all this for you, but I can’t find any documentation on how to do this without leaving the page you are in. And it doesn’t look like there are any access tokens available in the SharePoint context.
Advice much appreciated.
Please note that this is just a matter of authenticating the user and passing the username to the service, not accessing SharePoint data or services in the name of the user.
Feb 07 2017 02:05 AM
Feb 07 2017 06:28 AM
Hi,
I am sorry that I missed this one. I will try it out and document the result here.
Cheers,
Rickard
Jul 26 2017 11:06 PM - edited Jul 26 2017 11:08 PM
Any pointers to solve this when Azure is not in the picture ?
A user on a SharePoint 2013 on premise page calls an external REST api. How can the REST api authenticate the caller or verify that proof of identify is the resquest (token ?) is genuine ?
Bon, I just realized I'm in an spfx thread 😞 So not the best place to put this question.
Jul 27 2017 12:12 AM
Jul 27 2017 12:23 AM - edited Jul 27 2017 12:26 AM
Hi Luis, thanks for responding to this
The external REST API is under my control, I can configure it's authentication any way I want.
It is Node.js implemented and runs on windows server 2016
The call from the SP2013 page is via JavaScript.
I would like to keep it that way if at all possible.
But if a farm solution, in a supporting role, is necessary to make this work, it is possible too.
In my simple world the client side js would be able to obtain a 'token', send it to the REST API and the API would be capable of verifying the token is genuine.
But I might see things too simple 🙂
Thanks again for your feedback on this
Jul 27 2017 12:43 AM
Jul 28 2017 07:37 AM
"It's not easy stuff" ... eactly
Looked into what you wrote, and think I understand it (more or less)
I think my problem remains that the user is already logged in into SharePoint (on-premise) and don't want him to have an account somewhere else (google, facebook) and/or ask him (the user) to re-submit his username/password (so that my API could verify it) .....
Still some research to do .....
Aug 01 2017 08:38 AM
Apr 10 2018 11:35 AM - edited Apr 10 2018 11:36 AM
Any update on this? I am also looking to implement using Sharepoint authentication against an external API without having any input from the user.
The closes I've found is using HttpClient to pass credentials as described in this tutorial. I've hit a blocker unfortunately. The Authorisation header is there - but its empty!
Apr 17 2018 04:25 AM
Mar 31 2019 11:25 AM
Hi butch, have you ever found an answer to the question (user already logged in to SharePoint.....) ?
Mar 31 2019 06:28 PM
@Danny Foncke Yep!
I use a Microsoft Graph JWT.
I verify the JWT is genuine using the keys microsoft publishes and thus can trust that is the logged in user.
Apr 16 2019 05:14 AM
May be someone could help me there : https://social.msdn.microsoft.com/Forums/en-US/a5bb4435-ff29-447a-b5dc-86d3d75c7ca4/best-way-to-conn...