We are using the Sharepoint Rest API to index contents.
Due to a customer's security requirement, we can only use API permissions as granted in the Sharepoint Admin Center in combination with an app-only principal with a secret.
We registered an application in the Azure AD Admin Center and granted it permissions as described here.
We then wrote a piece of Java Code that adapts the requests described here to retrieve a JWT:
List<NameValuePair> params = new ArrayList<>(10);
params.add(new BasicNameValuePair("grant_type", "client_credentials"));
params.add(new BasicNameValuePair("client_id", clientId + "@" + directoryId));
params.add(new BasicNameValuePair("client_secret", clientSecret));
params.add(new BasicNameValuePair("resource", "00000003-0000-0ff1-ce00-000000000000/" + targetHost + "@" + directoryId));
try (CloseableHttpClient httpClient = HttpClientBuilder.create().build()) {
HttpPost post = new HttpPost("https://accounts.accesscontrol.windows.net/" + directoryId + "/tokens/OAuth/2");
post.setEntity(new UrlEncodedFormEntity(params, Consts.UTF_8));
String result;
try (CloseableHttpResponse response = httpClient.execute(post)) {
if (response.getStatusLine().getStatusCode() != HttpStatus.SC_OK)
throw new SharepointClient.HttpStatusException(response.getStatusLine().getStatusCode());
result = Strings.fromUtf8(IO.readAll(response.getEntity().getContent()));
}
accessToken = new JsonData(result).get("access_token");
}
We then use the token as a bearer token in the authorization header for all requests to the API.
This worked fine for a couple of months until about a week ago. Since then, we're only receiving 403 responses.
HttpResponseProxy{HTTP/1.1 403 Forbidden [Cache-Control: private, max-age=0, Transfer-Encoding: chunked, Content-Type: application/json;odata=verbose;charset=utf-8, Expires: Wed, 30 Sep 2020 09:58:49 GMT, Last-Modified: Thu, 15 Oct 2020 09:58:49 GMT, P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI", X-SharePointHealthScore: 2, X-MSDAVEXT_Error: 917656; Zugriff+verweigert.+Zum+%c3%96ffnen+von+Dateien+an+diesem+Speicherort+m%c3%bcssen+Sie+zun%c3%a4chst+zur+Website+wechseln+und+die+Option+zur+automatischen+Anmeldung+aktivieren., DATASERVICEVERSION: 3.0, X-AspNet-Version: 4.0.30319, SPRequestGuid: f7dd839f-10d1-2000-73fa-40c47dd29bbb, request-id: f7dd839f-10d1-2000-73fa-40c47dd29bbb, MS-CV: n4Pd99EQACBz+kDEfdKbuw.0, Strict-Transport-Security: max-age=31536000, X-FRAME-OPTIONS: SAMEORIGIN, Content-Security-Policy: frame-ancestors 'self' teams.microsoft.com *.teams.microsoft.com *.skype.com *.teams.microsoft.us local.teams.office.com *.powerapps.com *.yammer.com *.officeapps.live.com *.stream.azure-test.net *.microsoftstream.com;, X-Powered-By: ASP.NET, MicrosoftSharePointTeamServices: 16.0.0.20530, X-Content-Type-Options: nosniff, X-MS-InvokeApp: 1; RequireReadOnly, X-MSEdge-Ref: Ref A: 330CB0BA15E647CC8B732FCC45D4F950 Ref B: AM3EDGE0620 Ref C: 2020-10-15T09:58:49Z, Date: Thu, 15 Oct 2020 09:58:49 GMT] ResponseEntityProxy{[Content-Type: application/json;odata=verbose;charset=utf-8,Chunked: true]}}
The error message is in german (I don't know why, the whole system is set to english). It sais: "Access denied. To open files in this location, you have to first go to the website and activate the option for automatic login."
Does anyone know what might have changed? Do we need to change something in the requests?
We already checked:
- The secret is not expired
- Authentication via certificate and Azure AD Admin Center permissions is still working (same API requests, just the token retrieval is done with msal4j)
- Sending the token request and the API requests via Postman leads to the same results
The reason for the error is not that you lack permissions. According to the error message
Access denied. To open files in this location, you have to first go to the website and activate the option for automatic login.Do you need:
1.Authenticate to Office 365.
2.Add your SharePoint Online sites to trusted sites.
3.Check the status of the WebClient service.
see: Troubleshoot mapped network drives that connect to SharePoint Online.