“Unsupported app only token” SharePoint API error even after adding certificate

1
votes

I am trying to use lists SharePoint API https://xx.sharepoint.com/_api/web/lists I am getting "Unsupported app only token" error when I try to access above API. I have referred to the documentation referred in this answer. I have added certificate on the registered app as well but still I am getting the same error. I am fetching SharePoint token as

URL "https://login.microsoftonline.com/xx.onmicrosoft.com/oauth2/v2.0/token"

Body

  1. "grant_type" -> "client_credentials"
  2. "scope" -> "https://xx.sharepoint.com/.default"
  3. client_id -> client id of the app
  4. client_secret -> client secret of the app
2
azuresharepointazure-active-directorysharepoint-onlinesharepoint-api
Hi, do you have a chance to check any of the answers?Allen Wu

2 Answers

0
votes

It is not how certificate credentials work. This form of credential that an application can use for authentication is a JSON Web Token(JWT) assertion signed with a certificate that the application owns. See details here.

So you cannot use client secret to get the access token.

You need set up an Azure AD app for app-only access at first. Please refer to the samples from Granting access via Azure AD App-Only.

using OfficeDevPnP.Core;
using System;

namespace AzureADCertAuth
{
    class Program
    {
        static void Main(string[] args)
        {
            string siteUrl = "https://contoso.sharepoint.com/sites/demo";
            using (var cc = new AuthenticationManager().GetAzureADAppOnlyAuthenticatedContext(siteUrl, "<application id>", "contoso.onmicrosoft.com", @"C:\BertOnlineAzureADAppOnly.pfx", "<password>"))
            {
                cc.Load(cc.Web, p => p.Title);
                cc.ExecuteQuery();
                Console.WriteLine(cc.Web.Title);
            };
        }
    }
}

And here are sample projects in GitHub.

0
votes

I have met this error before. In fact, appid+ app secret authorization flow is not supported in app-only scenario. Even though either by using the client id and client secret of your application or by using the client id and a certificate will give you a valid access token. However only the access token obtained using a certificate is allowed to be used with SharePoint Online. If you try to use an app-only access token obtained using client id and client secret, SharePoint Online will return the following error:

Unsupported app only token.

If you want to get authorized in Daemon app, you may need to turn to "appid + certificate" as @allen wu suggested.

Below is the behind authorization process:

BR