Unauthorized error while authenticating Sharepoint REST API using Python

huangapple go评论91阅读模式
英文:

Unauthorized error while authenticating Sharepoint REST API using Python

问题

我正在尝试通过REST API从SharePoint Online数据库下载文件,该数据库使用多因素ADFS身份验证。到目前为止,我找到了这些帖子(帖子1帖子2),它们讨论发送SAML请求到STS以从https://login.microsoftonline.com/extSTS.srf接收安全令牌。我在网上找到了多个示例,它们使用相同的方法来验证其请求。然而,当我将SAML请求发送到上述的Microsoft URL时,我收到了以下错误。

AADSTS50126:由于无效的用户名或密码而导致的凭据验证错误。

我对SharePoint数据库具有适当的访问权限,因为在使用经过身份验证的会话的浏览器进行API请求(用于检查可用列表而不是进行身份验证)时,我能够获得有效的响应。您有任何关于我可能做错了什么的想法,或者关于MFA保护的SharePoint库是否支持身份验证的想法吗?

英文:

I am trying to download a file from a SharePoint Online data library via REST API which uses a multi-factor ADFS authentication, so far I found these posts (Post1, Post2) which talk about sending a SAML request to STS to receive a security token from https://login.microsoftonline.com/extSTS.srf, I have found multiple examples online which uses the same method to authenticate their requests. However, when I send the SAML request to the above Microsoft URL, I receive the error below.

>AADSTS50126: Error validating credentials due to invalid username or password.

I have appropriate access to the SharePoint data library as I was able to get a valid response to an API request (to check available lists and not for authentication) when using a browser with authenticated session. Any idea on what I might be doing wrong or even if authentication is possible for MFA secured SharePoint library.

答案1

得分: 1

Microsoft文档中没有官方说明来确认这一点。但MFA帐户和AAD令牌不兼容。

您必须使用未启用MFA的服务帐户(用户名/密码)来执行操作。当您使用服务帐户调用SPO Web API以获取令牌时,这将起作用。

当您的浏览器会话处于打开状态时,令牌将可用于Cookie中,您将能够无问题访问库。对于POSTMAN或SOAP-UI测试,也适用相同原理。

因为MFA需要用户交互,所以这是不可能的。请参考这个GitHub问题:Trouble spo login with an account with multi-factor authentication

我们在Dynamics CRM中使用"Application User"概念来实现相同的方法。阅读更多

英文:

There is no official word in any Microsoft Documentation to confirm this. But MFA account + AAD token is not compatible.

You have to use a service account (username/password) without MFA enabled for it. This will work when you invoke the SPO web api using the service account for getting tokens.

When you have a browser session in open state, the token will be available in cookies & you will be able to access the library without issue. The same applies to POSTMAN or SOAP-UI testing.

Because MFA needs user interaction, this is not possible. Refer this github issue: Trouble spo login with an account with multi-factor authentication

We do "Application User" concept in Dynamics CRM for the same approach. Read more

huangapple
  • 本文由 发表于 2020年1月3日 22:32:08
  • 转载请务必保留本文链接:https://go.coder-hub.com/59580348.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定