0

I was trying to use that lib to connect with my SharePoint and download the file: https://github.com/vgrem/Office365-REST-Python-Client

I tried two approaches for auth:

  1. UserCredential
  2. ClientCredential

Code:

client_credentials = ClientCredential(f'{client_id}',f'{client_secret}')
ctx = ClientContext(url).with_credentials(client_credentials)


web = ctx.web.get_folder_by_server_relative_path("Shared Documents/Documents").expand(["Files", "Folders"]).get().execute_query()

#web = ctx.web
ctx.load(web)
ctx.execute_query()
print("Web title: {0}".format(web.properties['Title']))

I registered the app in Azure Portal with a tutorial from GitLab site but in the first example I have an error:

ValueError: Cannot get binary security token from https://login.microsoftonline.com/extSTS.srf

in client creds I have:

Forbidden 403 Error

I have already checked many possibilities:

  • whether the user given is correct - email not login
  • whether the password is correct - if I enter the wrong one there will be another error
  • whether the SharePoint page is correct - if I enter a non-existent one, I get another error
  • whether the query produced by the application is ok - if I type it directly in the browser while logged into SharePoint it returns the correct result.

How did I register the applications in Azure?

  • I went into AD Azure, created a new application
  • I generated a secret for it
  • I added to API Permissions read access to SharePoint.

Is there anything else I should do? Did I leave something out? Maybe someone has encountered a similar problem?

I've run out of ideas - all links in google are already in purple.

Improve this question

1 Answer 1

Reset to default
1

When using an Azure AD Application with Application Rights on SharePoint, you must use Certificate authentication. (Official Documentation stating it is typically better to use a certificate) I could not find the page stating you must use a certificate, but that's still something I have experienced countless times.

I read in your question

I added to API Expose read access to SharePoint.

Which should rather be: I added to API Permissions a SharePoint Application right of Sites.Read.All if I understood correctly

You then have two options:

1 - Use a certificate

2 - Give rights to your application on SharePoint using the SharePoint Add-In Method (deprecated but works and used everyday)

For method 2, you will find hidden pages in SharePoint Sites. The one you're first interested in is <sp-site>/_layouts/15/appinv.aspx where you can enter your AAD App ID and click "Search", which will auto-complete the App name. You may then complete the App Domain & Redirect URL with the given examples (www.contoso.com & https://www.contoso.com/default.aspx) as they are not important in your use case. The XML may be filled according to your needs, and you will find an interesting documentation here. For example, to have Read rights on the whole web, it would be this exact XML (no replacing the URLs):

<AppPermissionRequests AllowAppOnlyPolicy="true">  
   <AppPermissionRequest Scope="http://sharepoint/content/sitecollection" Right="Read" />
</AppPermissionRequests>

Please note you must be this SharePoint site Administrator (and not only in the Owners group) to grant such a right.

Improve this answer
Sign up to request clarification or add additional context in comments.

6 Comments

Thank you very much for answer and explanation. I will try this solution. Of course you are right, I added API Permissions - corrected.
Thanks for tip @Gostron. I ask the administrator to add that policy to my app, and I still got that error but with different error values. Instead: (None, None, "403 Client Error: Forbidden for URL: my_url) I have -2147024891, System.UnauthorizedAccessException', 'Attempted to perform an unauthorized operation.', '403 Client Error: Forbidden for URL:. What can be a problem? Could it be because the admin has not added App Domain and Redirect URL?
Just a client ID, client Secret, and adding rights on appinv.aspx should be sufficient. App Domain and Redirect URL are a non factor in your use case. There should be something you missed somewhere. You can manually check your token and requests using postman or curl if you want. To do so, you must POST a form url-encoded with client_id, client_secret, grant_type='client_credentials' and resource='00000003-0000-0ff1-ce00-000000000000/$targetHost@$tenantId' where $targetHost is <tenant>.sharepoint.com and $tenantId can be retrieved on whatismytenantid.com.
This post must be made to "accounts.accesscontrol.windows.net/$tenantId/tokens/OAuth/2" and will give you and access token you can use on future requests. Then, make a GET to <sp-site>/_api/web with header Authorization: Bearer <access_token>. This should necessarily work if your steps were correct
If you want tenant-wide access (meaning to all site collections), the appinv.aspx must be done from the SharePoint Central Administration site collection (so https://<tenant>-admin.sharepoint.com/_layouts/15/appinv.aspx) with the correct XML. However if your needs just require you to access a few pre-determined site collections, you should rather do the procedure on each. Please note that authentication must be made independently on each site collection as a token is scoped to a SharePoint Site Collection.
|

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.