Sharepoint API with delegation and OAUTH access token

Question

Hi,

I've created a program that allows me to push data to SharePoint, and it works well. The SharePoint API is created with Graph API, delegation, and using I'm using OAUTH - my program obtains a new token every 50 minutes (with some fall-back measures in place)

My company IT have quite rightly rejected this as the API had Sites.Fullcontrol.All permissions, and this would give me access to everything.

I read that delegated Sites.Selection is now supported. So I went down the route of setting this up. However when I analyse the JSON of the access token, there are no scp or roles inside it, and indeed my program debug replies: "AccessDenied","message":"Either scp or roles claim need to be present in the token."

I'm no expert on this, this is my first foray into creating such an API.

My program itself will run an a dedicated PC, connected to my company network with a service account (not my own). It parses data from the serial port and pushes it to a SQL db and to a Sharepoint list. The SharePoint list allows me to easily manage sending out emails when certain fields are populated on the list, and to also use this list as a datasource for a power app. I'm also far from an expert regarding how a company IT infastructure works. What are my options here. Currently delegated Sites.Selected does not work with the way I retrieve an access token. I will speak with my IT (in another country) about this, but grealty need some thoughts on this from anyone in the know.

Really looking forward to some feedback on this

Thank you for your time and cosideration...

Dave

Answer 1

Hi @David S,

Thank you for posting in this community.

According to your error "Either scp or roles claim need to be present in the token.", this means that the token you generated doesn't have scp or role claim, these two parts that are used to indicate the permissions you have been given. That is what it usually looks like:

The scp part of the token after the JWT resolution.

First, we suspect that there is something wrong with the way the token is being obtained.

Delegated permissions are only available in a delegated authentication flow, so you should use a delegated authentication flow to obtain an access token, such as the auth code flow or ROPC flow (Not really recommended, as it will write the password plaintext in the request to generate the token.).

If you don't know much about this, I suggest you refer to this article to regenerate your token. This article has more detailed steps: Get access on behalf of a user.

Secondly, this could also be caused by you being given incorrect permissions.

I would suggest that you confirm with the administrator who gave you the permissions that you were given permissions under Microsoft Graph and not SharePoint and that these permissions have been agreed to by the administrator.

Setting it up incorrectly will result in the token being generated not containing the permissions at all, thus resulting in the scp part being missing.

Finally, for your newly generated token, we recommend that you use this JWT tool to parse it, mainly checking that the token has the scp part and has the permissions you need.

Note: This link is non-official, just for reference.

---

If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".

Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.