Summary
SharePoint Online(SPOL) allows remote applications to call the REST API with user impersonation. This article demonstrates how to access SPOL REST API and get the data from a SharePoint list in a tenant using Postman. However, outside of .NET the authentication piece is not so straightforward. App authentication solves this issue for registered apps but in this article, you will see how remote user authentication can be achieved, regardless of platform.
The goal of this article is to provide examples of the HTTP requests which need to be made in order to authenticate SharePoint Online. It then provides an example of using the same technique to read data from a SharePoint list just to make sure it all works.
Prerequisites
To play with this POC, you need the following:
Note: If you already have a subscription, you can use an existing account from your Office 365 subscription.
- A SharePoint List with some data.
- To send HTTP requests I am going to use Postman. Click here to go through Postman Getting Started details.
- Fiddler to trace/debug
Note: The type of applications where this kind of approach may be necessary include: Java, PHP, or Informatica.
- Keep the Chrome Browser and Fiddler Running for this POC. But you don’t need to log in to SharePoint.
Steps Involved
Before we read the data from SPOL, The REST API authentication piece comes in a few steps:
- Generate Security Token
- Generate Access Token
- Get Request Digest
Generate Security Token
The first step is to provide a username and password of a user with the Read access to the SharePoint List and the URL at which we want access to the SharePoint Online Security Token Service.
This is done by sending a POST request with the following XML as the request body to the URL,
https://login.microsoftonline.com/extSTS.srf
![Access SharePoint Online REST API Via Postman With User Context]()
Note
Replace the following values with your data.
[User Name] – SPOL Account Username (example: [email protected])
[Password] – SPOL Account Password
[SharePoint Site URL] – SharePoint site URL where your list exists
Postman Configurations
![Access SharePoint Online REST API Via Postman With User Context]()
(Request Body)
![Access SharePoint Online REST API Via Postman With User Context]()
(Request Header)
Set Content-Type to application/x-www-form-urlencoded
Now, hit the Send button to view the response. Your HTTP Response should be something like this:
![Access SharePoint Online REST API Via Postman With User Context]()
(Response)
Note down the security token value inside the wsse:BinarySecurityToken tag.
Important Note: If you get “Direct login to WLID is not allowed for this federated namespace” error, you have to follow different steps. Please refer to the C# code for the tenants connected with ADFS.
Generate Access Token
Once the security token has been generated it must be used to fetch the access token. We can do this by sending a POST request to the following URL with the security token in the request body,
https://yourdomain.sharepoint.com/_forms/default.aspx?wa=wsignin1.0
Postman Configurations
![Access SharePoint Online REST API Via Postman With User Context]()
(Request Header)
![Access SharePoint Online REST API Via Postman With User Context]()
(Request Body)
Now, hit the Send button to view the Response. Your HTTP Response should be something like this:
The response for this request contains some Cookies which must be passed as headers with all upcoming requests. Note down the values of the rtFa and FedAuth Cookies.
![Access SharePoint Online REST API Via Postman With User Context]()
(Response)
Get Request Digest
The request digest is a feature that ensures requests are coming from a single session. It must also be included with any POST requests.
We can get the request-digest value by sending a POST request to the below URL:
https://yourdomain.sharepoint.com/_api/contextinfo
Add rtFa and FedAuth Cookie values as headers with the request.
Postman Configurations
![Access SharePoint Online REST API Via Postman With User Context]()
(Request Header)
Now hit Send button to view the Response. Your HTTP Response should be something like this:
![Access SharePoint Online REST API Via Postman With User Context]()
(Request Response)
Note down the security token value inside the d:FormDigestValue tag including date and time zone values.
Read Data from SharePoint List
Now we are going to pass the d:FormDigestValue along with rtFa and FedAuth Cookie values in header section to access the SharePoint list via List REST API endpoint as shown below:
Postman Configurations
![Access SharePoint Online REST API Via Postman With User Context]()
(Request Header)
![Access SharePoint Online REST API Via Postman With User Context]()
(Request Response)
As you can see, we are able to read the SharePoint list data via REST API without login to the SharePoint site in the browser.
Now you can try to mimic the same process in your own server-side language which supports web requests and work against SharePoint Online. The C# version of the same concept can be found here.
Issues Faced
If you are not able to generate REQUEST DIGEST value, follow the below article:
403 Forbidden from /_api/contextinfo when using Chrome Postman REST App