1

I am trying to get OAuth code to access sites and lists from SharePoint Online. Below are the steps that I have performed:

  1. Register application at URL https://adventurer.sharepoint.com/_layouts/15/appregnew.aspx
  2. Generate Client ID and Secret at above URL and create the application.
  3. Request OAuth code from user's credentials by accessing below URL:

https://adventurer.sharepoint.com/_layouts/15/OAuthAuthorize.aspx?client_id=ebd57c66-97dd-498d-83f5-eedd6536bbc2&scope=Web.Read List.Write &response_type=code&redirect_uri=https://localhost/SharePointOnlineSample

After authentication from SharePoint server, I get error as "access_denied". I don't know what is causing this issue. If I remove the scope from above URL and grant permission to application using below URL:

https://adventurer.sharepoint.com/_layouts/15/appinv.aspx

and below XML:

<AppPermissionRequests AllowAppOnlyPolicy="true">
    <AppPermissionRequest Scope="http://sharepoint/content/sitecollection" Right="FullControl" />
</AppPermissionRequests>

It works just fine. But I want to know the correct approach. Why is this XML required to grant permission? Why can't I just get OAuth code using scope in request URL?

Improve this question

1 Answer 1

Reset to default
0

From https://learn.microsoft.com/en-us/sharepoint/dev/sp-add-ins/add-in-permissions-in-sharepoint:

For add-ins that request permissions on the fly, only a user with Manage permissions to the SharePoint resources that the add-in seeks to access can run the add-in, even if the add-in is asking only for lesser permissions, such as Read.

Also see https://learn.microsoft.com/en-us/sharepoint/dev/sp-add-ins/authorization-code-oauth-flow-for-sharepoint-add-ins:

In some scenarios, an add-in can request permission to access SharePoint resources on the fly...

Note

This type of add-in can only be run by users who have Manage permissions to the resources the add-in wants to access. For example, if an add-in requests only Read permission to a website, a user who has Read, but not Manage, rights to the website cannot run the add-in.

Looks like the user that requests the code does not have Manage permissions on SharePoint and therefore depends on the requested permission to be defined for the app.

Improve this answer

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.