Inspecting SharePoint 2013 ContextToken and Refresh Token

Home | SharePoint 2013 App | Inspecting SharePoint 2013 ContextToken and Refresh Token

In previous post, I briefly discussed about the OAuth Tokens and SharePoint 2013 Authentication & Authorization.  We know that there are couple of tokens, namely Context-Token and Refresh-Token are involved in the life-cycle of SharePoint 2013 App Authentication and Authorization. These tokens are not exactly the SAML 1.1 tokens and they  are bit different. The whole intend of this article is to inspect and understand what these tokens are.

In this article I would be creating a sample Auto-Hosted App, inside the page_load of the App-web project (of auto-hosted app) I would be adding some snippet of code to inspect and fetch the OAuth Context Token and Refresh Token.

Let’s create a sample Auto-Hosted App in Visual Studio 2012 with name ‘TestAppforOAuth’,

pic2

Open the default.aspx.cs of the AppWeb Project

Import the following namespaces at the top of the project

using Microsoft.SharePoint.Client;
using System.Net;
using System.IO;

In the Page_Load method add the following snippet of code

TokenHelper.TrustAllCertificates();
string contextTokenString =
      TokenHelper.GetContextTokenFromRequest(Request);

if (contextTokenString != null)
      {
            SharePointContextToken contextToken =
            TokenHelper.ReadAndValidateContextToken(
                  contextTokenString, Request.Url.Authority);

            Response.Write("<h2>Valid context token</h2>");
            Response.Write(
                  "<p>" + contextToken.ToString() + "</p>");
            Response.Flush();

            Uri sharepointUrl = new      
                  Uri(Request.QueryString["SPHostUrl"]);
            string accessToken =
                  TokenHelper.GetAccessToken(contextToken, 
                  sharepointUrl.Authority).AccessToken;

            Response.Write("<h2>Valid access token 
                  retrieved</h2>");
            Response.Write("<p>" + accessToken + "</p>");
            Response.Flush();

            HttpWebRequest request =
                   (HttpWebRequest)HttpWebRequest.Create
                   (sharepointUrl.ToString() + 
                  "/_api/Web/title");
            request.Headers.Add("Authorization", "Bearer " +
                  accessToken);
            HttpWebResponse response = 
                   (HttpWebResponse)request.GetResponse();
            StreamReader reader = new 
                  StreamReader(response.GetResponseStream());

            Response.Write("<h2>Web title retrieved using 
                  REST</h2>");
            Response.Write("<p>" + reader.ReadToEnd() + "</p>");
            Response.Flush();
      }

Configure the Tenant level Read Permission for the App.

app permission1

app permission2

Hit F5, Deploy the app and trust it. If we inspect the Tokens these are not SAML, they are what they call it as JWT Tokens.

tokens

 Subscribe to my blog

Leave a Reply