Authentication using ClientID and Secret

[gavdgavd]

Looking for help about the use of authentication in PnP Core SDK using the AD Client ID with a Secret.
Working to get data from SharePoint using the PnP Core SDK, I must use an Azure App Registration with Application rights (not Delegated rights); thus, I do have only the ClientID and the Secret.
The only way to authenticate using the PnP Core SDK with a secret seems to be using OnBehalfOfAuthenticationProvider. Unfortunately, the fourth parameter of OnBehalfOfAuthenticationProvider is a function that provides the OAuth bearer Token from Azure (the first three parameters are known: ClintId, TenantId, and Secret). But at the moment of creation of the Builder, the call hasn't made yet a trip to Azure, thus the Token is unknown. Additionally, I do not see the reason why the Token must be given as input parameter to ask for the Token again.
Tried to use ExternalAuthenticationProvider as well, giving the Token obtained through a direct call to Azure, but that is very convoluted, and I am getting the cryptic error "One or more errors occurred".
Any example and/or idea will be very appreciated. Thanks in advance.

[jansenbe]

Hi @gavdgavd ,

App-only authentication against SharePoint Online requires certificate based authentication for calling the "classic" SharePoint REST/CSOM APIs. The SharePoint Graph calls can work with clientid+secret, but since PnP Core SDK requires both type of APIs (as not all features are exposed via the Graph APIs) you need to use certificate based auth. See https://pnp.github.io/pnpcore/demos/README.html for our samples, the Authentication Type column in the tables shows the used auth provider and allows you to pick a relevant sample.

[jansenbe]

Hi @aathar ,

Using Azure ACS is not natively possible in PnP Core SDK as Azure ACS is a legacy authentication concept that for the most part already has been deprecated. In SharePoint it's still supported for the moment. What you should do is use certificate based authentication and setup this up in Azure AD (see https://pnp.github.io/pnpcore/demos/Demo.AzureFunction.OutOfProcess.AppOnly/readme.html for a sample that uses certificate based auth and which shows how to set this up).

[gavdgavd]

Hi @jansenbe Bert,
I know we discussed this sometime ago, but the situation is still bottering me, probably you can enlighten me.

Microsoft deprecated the Azure ACS for SharePoint, that is known. As it is also known that ACS "a kind of" secret based authentication was, and that it is still useable for SharePoint Add-Ins, but not for normal calls against the server. But an Azure App Registration with a Secrets schema is a different thing than the ACS.

I can send a query to Microsoft Graph to get information from SharePoint using an Azure App Registration based on Secrets authentication. It just works fine; I can give you the code if you are interested (PowerShell using the normal "Invoke-RestMethod" and "Invoke-WebRequest" cmdlets). I don't think Graph is using the Azure ACS, but, of course, I am not sure about that because I do not know how Graph works internally.

Do you have any idea why I can use Graph in this way to approach SharePoint, but it doesn't work using other methods?

I appreciate your comments, thanks a lot.
Gr.,
Gustavo

[jansenbe]

@gavdgavd : SharePoint REST/CSOM APIs only work with certificate auth when using an Azure AD app setup, pure Graph calls can work with clientid/secret, but since PnP Core SDK requires SharePoint REST we don't support that option. We'll not add ACS support due to above explained reasons.

[yueming-zhang]

@jansenbe, I found your reply is very insightful, Hope you can help.

I need to access SharePoint online from Linux OS. Could you point me out what's the best way to generate certificate on Ubuntu? Most of the online helps today are using PowerShell.

Alternatively, if I generate the cert using PowerShell on a windows OS, and then move it Ubuntu, I don't think it will work. But Please correct me.

Thank you in advance.

[jansenbe]

@yueming-zhang : see https://learn.microsoft.com/en-us/dotnet/core/additional-tools/self-signed-certificates-guide#with-openssl