In my company I/T has just set up a new Sharepoint 2019 OnPromise, that is hybrid, using Azure AD for authentication.
I'm a site collection admin for my Sharepoint website. Let's say the URL to Sharepoint is https://aymeric.sp.my-company.com
When I access this URL I'm automatically redirected to https://login.microsoftonline.com/TENANT-ID/wsfed?wa=wsignin1.0&wtrealm=urn%3aSharepoint%3afederation&wctx=https%3a%2f%2faymeric.sp.my-company.com%2f_layouts%2f15%2fAuthenticate.aspx%3fSource%3d%252F&wreply=https%3a%2f%2faymeric.sp.my-company.com%2f_trust%2fdefault.aspx&sso_nonce=AQABAAAAAABeAFzDwllzTYGDLh_qYbH87qVvvwM4pLiqYXloFo6Il7_-ry9WsQiAA&client-request-id=8dacdcfb-c68f-4ec2-a3e7-7760cecf3699&mscrid=8dacdcfb-c86f-4ec2-a3e7-7760cecf3699 – I'm automatically identified and redirected back to Sharepoint with the correct profile.
One of my I/T contact gave me the below information:
Now I'm trying to access to Sharepoint Web Services (like https://aymeric.sp.my-company.com/_vti_bin/UserProfileService.asmx) using JavaScript and a Node app (node index.js
).
I'm using this technique with a Sharepoint 2013 OnProm and I have no issue: I just pass my credentials using https://github.com/s-KaiNet/node-sp-auth and it just works.
If I try to access the SP 2019 Web Services in the browser, it just works too.
But using a Node app with this Sharepoint Hybrid based on Azure AD I cannot find how to pass credentials… What to send? How to authenticate? Do I need to use an Azure AD App to connect to my Sharepoint OnProm? If yes, how to configure? Should I just send an "Authentication" header with a "Bearer" and an access token: if yes, how to get this access token?
Whatever I try (and I tried dozen and dozen of things) I always end with (in best cases) an error 403 "Access denied. You do not have permission to perform this action or access this resource.".
I tried different authentications, I also tried adal-node with an Azure AD App created from https://portal.azure.com/, but it's confusing. After two days of search and tries, I feel like I need help.
Thanks
Finally, because I'm not a farm/server admin, my last option was to retrieve the FedAuth cookie that can be used in all requests to be recognized by Sharepoint.
I've "just" mimicked the browser's behavior by creating a NodeJs script that reproduces all the required steps.
10 calls including redirection, post form and Kerberos authentication are required to finally get the precious FedAuth cookie.