Introduced support for SharePoint authentication via OAuth (app principal)

Author: vgrem

examples/sharepoint_client_flow_auth.py

@@ -0,0 +1,35 @@
+import json
+
+from office365.runtime.auth.authentication_context import AuthenticationContext
+from office365.runtime.client_request import ClientRequest
+from office365.runtime.utilities.request_options import RequestOptions
+from office365.sharepoint.client_context import ClientContext
+
+app_settings = {
+    'url': 'https://contoso.sharepoint.com/',
+    'client_id': '8efc226b-ba3b-4def-a195-4acdb8d20ca9',
+    'client_secret': '',
+    'redirect_url': 'https://github.com/vgrem/Office365-REST-Python-Client/'
+}
+
+
+if __name__ == '__main__':
+    context_auth = AuthenticationContext(url=app_settings['url'])
+    if context_auth.acquire_token_for_app(client_id=app_settings['client_id'], client_secret=app_settings['client_secret']):
+        """Read Web client object"""
+        ctx = ClientContext(app_settings['url'], context_auth)
+
+        request = ClientRequest(ctx)
+        options = RequestOptions("{0}/_api/web/".format(app_settings['url']))
+        options.set_header('Accept', 'application/json')
+        options.set_header('Content-Type', 'application/json')
+        data = ctx.execute_request_direct(options)
+        s = json.loads(data.content)
+        web_title = s['Title']
+        print("Web title: {0}".format(web_title))
+
+    else:
+        print(context_auth.get_last_error())
+
+
+

office365/runtime/auth/acs_token_provider.py

@@ -0,0 +1,76 @@
+import requests
+
+import office365.logger
+from office365.runtime.auth.base_token_provider import BaseTokenProvider
+
+
+class ACSTokenProvider(BaseTokenProvider, office365.logger.LoggerContext):
+    """ Provider to acquire the access token from a Microsoft Azure Access Control Service (ACS)"""
+
+    def __init__(self, url, client_id, client_secret):
+        self.url = url
+        self.client_id = client_id
+        self.client_secret = client_secret
+        self.redirect_url = None
+        self.access_token = None
+        self.error = None
+        self.SharePointPrincipal = "00000003-0000-0ff1-ce00-000000000000"
+
+    def acquire_token(self):
+        try:
+            realm = self.get_realm_from_target_url()
+            try:
+                from urlparse import urlparse  # Python 2.X
+            except ImportError:
+                from urllib.parse import urlparse  # Python 3+
+            url_info = urlparse(self.url)
+            self.access_token = self.get_app_only_access_token(url_info.hostname, realm)
+            return True
+        except requests.exceptions.RequestException as e:
+            self.error = "Error: {}".format(e)
+            return False
+
+    def get_realm_from_target_url(self):
+        response = requests.head(url=self.url, headers={'Authorization': 'Bearer'})
+        return self.process_realm_response(response)
+
+    def get_app_only_access_token(self, target_host, target_realm):
+        resource = self.get_formatted_principal(self.SharePointPrincipal, target_host, target_realm)
+        client_id = self.get_formatted_principal(self.client_id, None, target_realm)
+        sts_url = self.get_security_token_service_url(target_realm)
+        oauth2_request = self.create_access_token_request(client_id, self.client_secret, resource)
+        response = requests.post(url=sts_url, headers={'Content-Type': 'application/x-www-form-urlencoded'}, data=oauth2_request)
+        return response.json()
+
+    @staticmethod
+    def process_realm_response(response):
+        header_key = "WWW-Authenticate"
+        if header_key in response.headers:
+            auth_values = response.headers[header_key].split(",")
+            bearer = auth_values[0].split("=")
+            return bearer[1].replace('"', '')
+        return None
+
+    @staticmethod
+    def get_formatted_principal(principal_name, host_name, realm):
+        if host_name:
+            return "{0}/{1}@{2}".format(principal_name, host_name, realm)
+        return "{0}@{1}".format(principal_name, realm)
+
+    @staticmethod
+    def get_security_token_service_url(realm):
+        return "https://accounts.accesscontrol.windows.net/{0}/tokens/OAuth/2".format(realm)
+
+    @staticmethod
+    def create_access_token_request(client_id, client_secret, scope):
+        data = {
+            'grant_type': 'client_credentials',
+            'client_id': client_id,
+            'client_secret': client_secret,
+            'scope': scope,
+            'resource': scope
+        }
+        return data
+
+    def get_authorization_header(self):
+        return 'Bearer {0}'.format(self.access_token["access_token"])

office365/runtime/auth/authentication_context.py

@@ -1,3 +1,4 @@
+from office365.runtime.auth.acs_token_provider import ACSTokenProvider
 from office365.runtime.auth.base_authentication_context import BaseAuthenticationContext
 from office365.runtime.auth.saml_token_provider import SamlTokenProvider
 
@@ -11,13 +12,23 @@ def __init__(self, url):
         self.provider = None
 
     def acquire_token_for_user(self, username, password):
-        """Acquire user token"""
+        """Acquire token via user credentials"""
         self.provider = SamlTokenProvider(self.url, username, password)
         return self.provider.acquire_token()
 
+    def acquire_token_for_app(self, client_id, client_secret):
+        """Acquire token via client credentials"""
+        self.provider = ACSTokenProvider(self.url, client_id, client_secret)
+        return self.provider.acquire_token()
+
     def authenticate_request(self, request_options):
         """Authenticate request"""
-        request_options.set_header('Cookie', self.provider.get_authentication_cookie())
+        if isinstance(self.provider, SamlTokenProvider):
+            request_options.set_header('Cookie', self.provider.get_authentication_cookie())
+        elif isinstance(self.provider, ACSTokenProvider):
+            request_options.set_header('Authorization', self.provider.get_authorization_header())
+        else:
+            raise ValueError('Unknown authentication provider')
 
     def get_auth_url(self, redirect_url):
         return ""

office365/runtime/auth/saml_token_provider.py

@@ -1,5 +1,4 @@
 import os
-import sys
 from xml.etree import ElementTree
 
 import requests