Category: oAuth

SharePoint 2013 OAuth Tokens–Frequently asked questions

Home | oAuth | SharePoint 2013 OAuth Tokens–Frequently asked questions

In one of my previous blog post I wrote about SharePoint 2013 App authentication flow, which briefed about oAuth protocol. There is lot of things to be learnt with respect to oAuth. I feel it’s worth compiling an FAQ  on oAuth, this is the result of that :

1. What is a Context Token ?

The context token is specific to App Configuration information and it is issued by Windows Azure Access Control Services (ACS). The trusted ACS server signs and issues the Context Token, when it receives request from App.

2. What is the format of CacheKey of Context Token ?

The CacheKey of context token is a combination of UserNameId, UserNameIdIssuer, ApplicationId and Realm.

CacheKey= UserNameId + “,” + UserNameIdIssuer + ApplicationId + “,” + Realm.

Note: The Cache Key does not have site URL details. The Cache Key relies on the uniqueness of the realm, it is unique for user, app and tenant.

3. How a Context Token look like ?

The same context token is illustrated below:


4. What are the various information present in the Context Token ?



Represented Fields

Sample Value


‘add’ means audience. The format of add is below

{target client ID}/ {target URL authority} @ {target realm}



iss iss stands for issuer. It represents the principal that has created the Token. The format is {ACS}@{target realm} ACS


realm Tenancy realm


nbf ‘nbf’ stands for not before. It represents the validity start of the token nbf


exp ‘exp’ stands for expiration. It represents the time after which the token is not valid. exp


Actor It is the principal identity of SharePoint 2013 SharePoint 2013


5. How to calculate the validity and expiry timestamp from nbf and exp ?

Nbf and Exp are denoted based on JWT specification. It is calculated as number of elapsed seconds since 1’st January, 1970.

6. How long a refresh token is valid ?

The refresh token is valid for 6 months (as of today’s App Authentication Framework design).

7. Can we store the access token in cookies ?

It is recommended not to store the access token in cookies (it’s not very secure). The refresh token can be stored in cookies (which is valid for 6 months), a new Access Token can be requested based on the stored refresh token.

8. Can we grant or deny the permissions for launching an App ?

No. If the user has access to browse the site, he’ll automatically be able to launch the app. The Grant or Deny permissions for an app can be defined only during the install time.

9. Can we use HttpDav protocol (HttpDav APIs) inside the App ?

The HTTP Dav protocol does not work with oAuth.

10. Whether AppId and SecretId will be same across all tenants for a given app ?

The AppId and SecretId are constant across all tenants for a given app, if the app is running in a separate remote web application and app is registered in the Seller dashboard.


 Subscribe to my blog