Login/Register
Sharepoint 365 ACS OAuth in Objective-C: realm error - Help Needed
Asked Answered
objective-csharepointoauth-2.0sharepoint-2013acs
M

1

6

Okay, so we are building an iPhone app to hit a Sharepoint 2013 site that is hosted on Office 365. If I were building this in C#, which I've already done, I would have the luxury of just using TokenHelper.cs to get me most of the way there. Unfortunately, as far as I know, there is no TokenHelper for Objective-C yet.

So here's the deal, we can already successfully get the OAuth authentication/authorization page to come up and we successfully get an Authorization Code back.

After this point we were stumped for a bit because we knew that we were missing the realm id in the POST for obtaining our Access and Refresh tokens. I finally figured out how TokenHelper does this and we've duplicated that. (This was an additional call to /_vti_bin/client.svc where you expect to get a 401 so that you can pull the realm id out of the header)

We now have a realm id that, from what I've read in documentation and TokenHelper and seen in Fiddler, needs to then get used in the following 2 ways: within the URL construction for the POST as well as for the resource value in the header for that POST.

So the POST url looks like this:

accounts.accesscontrol.windows.net/{realm id}/tokens/oauth/2

Our resource value looks like this:

resource=00000003-0000-0ff1-ce00-000000000000%2f{realm url}%40{realm id}

This at least connects fine and accepts our POST. Unfortunately, we are getting the following message back:

ACS50012: Authentication failed. ACS90011: The realm '' is not a configured realm of the current service namespace.

This message makes me think that there may be a configuration issue, but I really can't be sure.

Has anyone else tried performing OAuth against a 365 site yet within Objective-C and had success?

I can post code as well, but I was trying to shy away from that initially.

Marqueritemarques answered 19/12, 2013 at 14:14 Comment(4)
I had some questions around the content of the POST, so I'm sharing what I can - obviously I can't divulge the client id or secret. [ URL: accounts.accesscontrol.windows.net/e8f0027b-39c8-49a0-8fce-bb606a118df8/tokens/OAuth/2, Header: Content-Type= application/x-www-form-urlencoded, Body: grant_type=authorization_code&client_id={client id}&client_secret={client secret}&redirect_uri={uri}&resource=00000003-0000-0ff1-ce00-000000000000%2Fthreewill.sharepoint.com%40e8f0027b-39c8-49a0-8fce-bb606a118df8 ]Marqueritemarques
hi, are you able to fix this problem ? please share your solution.Curare
I have not solved this yet, actually. I will try to revisit either this week or next though. The Microsoft Open Tech team recently released an API for OAuth against O365 for Android, so obviously it's doable - I will try to look through that for the solution.Marqueritemarques
Been a while, but did you get any further on this? I can introduce you to the OpenTech team if you would like?Simpleminded
T
8

I recently came across the same problem and have a feeling it may be the same issue you are seeing.

The correct POST request for OAuth is as follows:

POST https://accounts.accesscontrol.windows.net/<REALM_GUID>/tokens/OAuth/2
x-www-form-urlencoded params:
grant_type:authorization_code
client_id:<CLIENT_ID>@<REALM_GUID>
client_secret:<CLIENT_SECRET>
code:<AUTH_CODE>
redirect_uri:<REDIRECT_URI>
resource:00000003-0000-0ff1-ce00-000000000000/<SHAREPOINT_AUTHORITY>@<REALM_GUID>

The major gotcha for me was that the value of the "client_id" required the realm id appended to the client id. Not including the realm id will throw an "ACS90011: The realm '' is not a configured realm of the current service namespace."

HTH

Tiffanietiffanle answered 16/6, 2014 at 17:27 Comment(2)
Needs to be marked as an answer! This is definitely missing in the MS documentation!Erode
Definitely agree with @palig. Thanks a million.Velazquez

© 2022 - 2024 — McMap. All rights reserved.