Inspecting SharePoint 2013 ContextToken and Refresh Token

In previous post, I briefly discussed about the OAuth Tokens and SharePoint 2013 Authentication & Authorization. We know that there are couple of tokens, namely Context-Token and Refresh-Token are involved in the life-cycle of SharePoint 2013 App Authentication and Authorization. These tokens are not exactly the SAML 1.1 tokens and they are bit different. The whole intend of this article is to inspect and understand what these tokens are.

In this article I would be creating a sample Auto-Hosted App, inside the page_load of the App-web project (of auto-hosted app) I would be adding some snippet of code to inspect and fetch the OAuth Context Token and Refresh Token.

Let’s create a sample Auto-Hosted App in Visual Studio 2012 with name ‘TestAppforOAuth’,

Open the default.aspx.cs of the AppWeb Project

Import the following namespaces at the top of the project

using Microsoft.SharePoint.Client;
using System.Net;
using System.IO;

.csharpcode, .csharpcode pre
{
font-size: small;
color: black;
font-family: consolas, “Courier New”, courier, monospace;
background-color: #ffffff;
/*white-space: pre;*/
}
.csharpcode pre { margin: 0em; }
.csharpcode .rem { color: #008000; }
.csharpcode .kwrd { color: #0000ff; }
.csharpcode .str { color: #006080; }
.csharpcode .op { color: #0000c0; }
.csharpcode .preproc { color: #cc6633; }
.csharpcode .asp { background-color: #ffff00; }
.csharpcode .html { color: #800000; }
.csharpcode .attr { color: #ff0000; }
.csharpcode .alt
{
background-color: #f4f4f4;
width: 100%;
margin: 0em;
}
.csharpcode .lnum { color: #606060; }

In the Page_Load method add the following snippet of code

TokenHelper.TrustAllCertificates();
string contextTokenString =
      TokenHelper.GetContextTokenFromRequest(Request);

if (contextTokenString != null)
      {
            SharePointContextToken contextToken =
            TokenHelper.ReadAndValidateContextToken(
                  contextTokenString, Request.Url.Authority);

            Response.Write("<h2>Valid context token</h2>");
            Response.Write(
                  "<p>" + contextToken.ToString() + "</p>");
            Response.Flush();

            Uri sharepointUrl = new      
                  Uri(Request.QueryString["SPHostUrl"]);
            string accessToken =
                  TokenHelper.GetAccessToken(contextToken, 
                  sharepointUrl.Authority).AccessToken;

            Response.Write("<h2>Valid access token 
                  retrieved</h2>");
            Response.Write("<p>" + accessToken + "</p>");
            Response.Flush();

            HttpWebRequest request =
                   (HttpWebRequest)HttpWebRequest.Create
                   (sharepointUrl.ToString() + 
                  "/_api/Web/title");
            request.Headers.Add("Authorization", "Bearer " +
                  accessToken);
            HttpWebResponse response = 
                   (HttpWebResponse)request.GetResponse();
            StreamReader reader = new 
                  StreamReader(response.GetResponseStream());

            Response.Write("<h2>Web title retrieved using 
                  REST</h2>");
            Response.Write("<p>" + reader.ReadToEnd() + "</p>");
            Response.Flush();
      }