Category: SharePoint 2013 App

SharePoint 2013 App

Inspecting SharePoint 2013 ContextToken and Refresh Token

In previous post, I briefly discussed about the OAuth Tokens and SharePoint 2013 Authentication & Authorization.  We know that there are couple of tokens, namely Context-Token and Refresh-Token are involved in the life-cycle of SharePoint 2013 App Authentication and Authorization. These tokens are not exactly the SAML 1.1 tokens and they  are bit different. The whole intend of this article is to inspect and understand what these tokens are.

In this article I would be creating a sample Auto-Hosted App, inside the page_load of the App-web project (of auto-hosted app) I would be adding some snippet of code to inspect and fetch the OAuth Context Token and Refresh Token.

Let’s create a sample Auto-Hosted App in Visual Studio 2012 with name ‘TestAppforOAuth’,


Open the default.aspx.cs of the AppWeb Project

Import the following namespaces at the top of the project

using Microsoft.SharePoint.Client;
using System.Net;
using System.IO;

In the Page_Load method add the following snippet of code

string contextTokenString =

if (contextTokenString != null)
            SharePointContextToken contextToken =
                  contextTokenString, Request.Url.Authority);

            Response.Write("<h2>Valid context token</h2>");
                  "<p>" + contextToken.ToString() + "</p>");

            Uri sharepointUrl = new      
            string accessToken =

            Response.Write("<h2>Valid access token 
            Response.Write("<p>" + accessToken + "</p>");

            HttpWebRequest request =
                   (sharepointUrl.ToString() + 
            request.Headers.Add("Authorization", "Bearer " +
            HttpWebResponse response = 
            StreamReader reader = new 

            Response.Write("<h2>Web title retrieved using 
            Response.Write("<p>" + reader.ReadToEnd() + "</p>");

Configure the Tenant level Read Permission for the App.

app permission1

app permission2

Hit F5, Deploy the app and trust it. If we inspect the Tokens these are not SAML, they are what they call it as JWT Tokens.


 Subscribe to my blog

Understanding OAuth in the world of SharePoint 2013 App

The OAuth is the new buzz in the world of SharePoint 2013 App development.  Just to remember, OAuth is not the protocol for authenticating users to access SharePoint. It would still be done by Claims Authentication. The OAuth comes into picture when we want to authenticate and authorize SharePoint 2013 Apps.

I’ll start with some briefing on OAuth and the key concepts that we need to understand about OAuth. OAuth is the internet protocol for creating and managing app identity. It is also a cross-platform mechanism for authentication and authorizing apps. The OAuth is also the emerging internet standard which is used by Facebook, Twitter and Google.

OAuth gives the power and flexibility of having app identity in addition to the user identity. Here are the some pointers about App Identity

  • App should be granted permissions independently of user permission
  • App can request specific permission from the user during installation
  • App can be granted more permission than the user (Elevation)
  • App is constrained to what it can do during and after installation

Here are some important concepts around OAuth

1. Content Owner – User who grants permission to content in a site

2. Client App – This is the remote App (running on a Cloud or Hosted environment) that needs permission to Site Content . In our case it is SharePoint 2013 App

3. Content Server – The web server that serves the content to be accessed by App. In our case it is SharePoint 2013 Server (Cloud or On-Premise)

4. Authentication Server – Trusted server that authenticates apps and creates oAuth tokens. In our case it is Azure ACS server or oAuth compatible authentication server


Let’s see what is happening in each step in the above picture.

Step 1 –> The user accesses the SharePoint 2013 portal and SharePoint 2013 authenticates the user using Claims Authentication

Step 2 –>  SharePoint 2013 requests for the Context Token for the user, from Windows Azure ACS (Access Control Services)

Step 3 –> ACS returns Context Token

Step 4 –> SharePoint 2013 passes the Context Token to the user

Step 5 –> User accesses App using Context Token

Step 6 –> Client App pulls Refresh Token from the Context Token and requests ACS for oAuthToken

Step 7 –> ACS server returns OAuth token to the client app

Step 8 –> Client App makes CSOM/REST calls to SharePoint site by passing OAuth Token

Step 9 –> SharePoint 2013 returns site content to App based on the App Permission Manifests

Step 10 –> Client App returns the App Content to the user

 Subscribe to my blog