GoDoc
Twitter
GitHub
Introduction
FAQ
Authentication strategies
Overview
Strategies
Custom Auth
Azure Device Flow
On-Demand Auth
Alternative NTLM
Dynamic auth
SharePoint client
HTTP Client
Fluent API
Hooks
Retries
Context
Samples
Basic CRUD
Documents
Chunk upload
Permissions
Groups & Users
Search API
User Profiles
Change API
Attachments
Record Management
Sending Emails
Property Bags
Recycle Bin
Feature management
Advanced item requests
Advanced add/update
Unmarshaling responses
Sandbox
Overview
Utilities
Headers presets
Cpass
Compatibility matrix
Contributing
Overview
Testing
Powered by GitBook

Azure Device Flow

Azure AD Device token authentication (sample)

This article is the sample showing Gosip custom auth with AAD Device Token Authorization.

If you want users to sign in interactively, the best way is through device token authentication. This authentication flow passes the user a token to paste into a Microsoft sign-in site, where they then authenticate with an Azure Active Directory (AAD) account. This authentication method supports accounts that have multi-factor authentication enabled, unlike standard username/password authentication.

Custom auth implementation

Check out the code on GitHub.

The implementation is pretty straightforward and follows the principles described in details on Custom Auth docs page.

Azure App registration

1. Create or use existing app registration

2. Make sure that the app is configured to support device flow

  • Authentication settings

  • App permissions

    • Azure Service Management :: user_impersonation

    • SharePoint :: based on your application requirements

  • etc. based on application needs

Auth configuration and usage

package main
import (
	"fmt"
	"log"
	"os"
	"github.com/koltyakov/gosip"
	"github.com/koltyakov/gosip/api"
	strategy "github.com/koltyakov/gosip-sandbox/strategies/device"
)
func main() {
	authCnfg := &strategy.AuthCnfg{
		SiteURL:  os.Getenv("SPAUTH_SITEURL"),
		ClientID: os.Getenv("SPAUTH_AAD_CLIENTID"),
		TenantID: os.Getenv("SPAUTH_AAD_TENANTID"),
	}
	client := &gosip.SPClient{AuthCnfg: authCnfg}
	sp := api.NewSP(client)
	res, err := sp.Web().Select("Title").Get()
	if err != nil {
		log.Fatal(err)
	}
	fmt.Printf("Site title: %s\n", res.Data().Title)
}

When started the application interacts with user using device login.

To sign in, use a web browser to open the page https://microsoft.com/devicelogin 
and enter the code CL25ZF5N7 to authenticate.

After opening the link, providing device code and authenticating in browser the app is ready for communication with your SharePoint site.

The strategy caches auth token in the context of the AAD ClientID. As a result, you won't see the sign in message. If it's not the desired behavior .CleanTokenCache() method can be called to clean the local cache.

Note, that the technique is mostly applicable when user interaction is assumed. Usage of that auth approach in the headless scenarios is not the best as it can lead "stuck" application if no-one expects sign in interaction.

Authentication strategies - Previous
Custom Auth
Next
On-Demand Auth
Last updated 7 months ago
Edit on GitHub
Contents
Custom auth implementation
Azure App registration
Auth configuration and usage