GoDoc
Twitter
GitHub
Introduction
FAQ
Authentication strategies
Overview
Strategies
Custom Auth
Azure Certificate Auth
Azure Device Flow
On-Demand Auth
Alternative NTLM
Dynamic auth
SharePoint client
HTTP Client
Fluent API
Hooks
Retries
Context
Samples
Basic CRUD
Documents
Chunk upload
Permissions
Groups & Users
Search API
User Profiles
Change API
Attachments
Record Management
Sending Emails
Property Bags
Recycle Bin
Feature management
Advanced item requests
Advanced add/update
Unmarshaling responses
Sandbox
Overview
Utilities
Headers presets
Cpass
Compatibility matrix
Contributing
Overview
Testing
Powered by GitBook

On-Demand Auth

Browser input interactive auth flow

During the development, it's common to face a situation when production-level auth (AddIn Onli, Azure AD application) can't be configured in the desired timeframes and no auth strategies work. A simple example might be 2FA (multi-factor authentication) or custom ADFS provider. As a quick workaround, the On-Demand auth can help.

On-Demand means that an interactive browser session is started where a user can provide the credentials as if he/she opens the SharePoint site and follows the same flow as reaching the site in a browser.

In that strategy, the application actually opens the browser and communicates via debug protocol for the auth cookies when uses them in the requests.

Check On-Demand auth sources at GitHub.

On-Demand auth is based on Lorca project, however, a vital part of the functionality is not exposed as a public API in Lorca, so the dependency is imported from a fork with only that small change in exposing one additional method.

Lorca masters Chrome Debug Protocol, therefore, the Chrome/Chromium browser must be installed in the system where On-Demand auth is intended to be called.

Chrome is required for the strategy to work

Configure and usage sample

package main
import (
	"fmt"
	"log"
	"os"
	"github.com/koltyakov/gosip"
	"github.com/koltyakov/gosip/api"
	strategy "github.com/koltyakov/gosip-sandbox/strategies/ondemand"
)
func main() {
	authCnfg := &strategy.AuthCnfg{
		SiteURL: os.Getenv("SPAUTH_SITEURL"),
	}
	client := &gosip.SPClient{AuthCnfg: authCnfg}
	sp := api.NewSP(client)
	res, err := sp.Web().Select("Title").Get()
	if err != nil {
		log.Fatal(err)
	}
	fmt.Printf("Site title: %s\n", res.Data().Title)
}

On-Demand configuration assumes only SiteURL to be provided as everything else is dynamically resolved while the transition to the browser page.

The auth technique works for any strategy which is based on the cookies.

The strategy caches the cookies in the context of the SharePoint host. As a result, you won't see the credentials prompt each time. If it's not the desired behavior .CleanCookieCache() method can be called to clean the local cache.

Note, that the technique is only applicable when user interaction is assumed. Never ever use that auth approach in headless scenarios.

Previous
Azure Device Flow
Next
Alternative NTLM
Last updated 11 months ago
Edit on GitHub