How to pass SharePoint access token from logic app to HTTP endpoint - sharepoint-2013

I have a logic app which triggers my HTTP endpoint every 15 minutes. Then the endpoint connects to SharePoint using Rest API and gets the data from specific list which is then added to my db.
But to get the data from SharePoint, i need access token. Do i need to write logic to get access token in the endpoint itself? or is there any to pass access token from my logic app while triggering my endpoint ?

As first answer. Yes, implement logic to get access token in HTTP Endpoint using SharePoint Online REST API.
Through such guides may be 1, 2, 3, 4. I think not exists any ways to pass access token from Azure logic app to your endpoint.
As second answer I can suggest to use SharePoint CSOM object model. To using it just install SharePoint Online Client Components SDK on computer where is your HTTP endpoint located and add Microsoft.SharePoint.Client.dll Microsoft.SharePoint.Client.Runtime.dll libraries as references. There exists good SharepointOnlineCredentials class to give credentials to requests.
Or other ways - you can re-architecture your solution:
Azure Logic Apps if I understood correctly must ask you to set connection to SharePoint by out-of-box features. See this article. I think you can get list items from SharePoint by actions in Azure Logic App and pass data to your HTTP endpoint without any additional access token requests just as method arguments.
If you have access to HTTP Endpoint from SharePoint then you can send data from SharePoint to your endpoint directly, not from Azure logic apps. You can do it from list items form pages, from site workflows or may be some Flow templates.
If you don't have access to HTTP Endpoint from SharePoint then you can create Azure hosted web service and call its methods from SharePoint by any ways. This web service will pass data to your HTTP endpoint as method arguments without any additional authentication. Web service call will be done from JavaScript on list item form save, from SharePoint workflow. May be here to get access token to this Azure web service will be easier then from your HTTP Endpoint to SP.
Are you using Azure SQL Database ? If yes then create connection between SharePoint Online and Azure SQL Database through Business Connectivity Services BCS. Like here or here or here. This allow user get, create, update items in your database inline in SharePoint list by out-of-box features.
Create periodically running code (Console App, PowerShell script, Windows Service). Schedule it on some server in your company. That code will use CSOM SharePoint object model and connect to SharePoint more easier through SharepointOnlineCredentials class, get data and connect to your HTTP Endpoint directly or to your database.
If your database is MS SQL Server located on-premise then you can use this guide to create Business Connectivity Services content types between SharePoint Online and on-premise SQL Server.
You can go some extravagant ways: =)
SharePoint by some ways can send emails with data from list items to some inbox and your HTTP endpoint can get these emails, parse data and perform following steps.
May be you can create Sql Server Integration Service (SSIS) package on some company local MS SQL Server that will send data from SharePoint on periodically basis to your database directly or to your HTTP endpoint directly.
Other ways...

"But to get the data from SharePoint, i need access token. Do i need to write logic to get access token in the endpoint itself?"
Correct, you do need a bearer access token. Where are you hosting the code for your HTTP endpoint? If you can put it in Azure as a Function or web API, then you can implement app-only permissions which will give you the necessary access token.
There are 2 options for doing so:
Granting access via Azure AD App-Only
Granting access using SharePoint App-Only
The first one is a bit more involved, because it requires a client secret AND a self-signed security certificate, but it will allow you permissions to any O365 API. The 2nd one is simpler and will only require the app/client ID and secret, but only allows permissions to the SharePoint Rest API.
The MSDN documentation linked above uses a PowerShell script to generate the security cert, but I prefer Bob German's instructions for manually creating/exporting one. He also includes instructions for registering an Azure AD application for your Azure function in his tutorial.

Related

PowerBI - Power Query Fetch credentials from Azure Vault

We have a requirement to fetch data from a rest api into powerbi and schedule a refresh every night. The rest api support jwt authentication so it needs header with xapikey and access token.
I have managed to write a function in power query to get access token from our auth endpoint and able to inject access token for the rest api call and it works fine with powerbi-desktop. I have published the report to powerbi cloud.
The auth endpoint require username and password, we would not like to store this details in .pbix file and publish to cloud but instead use azure key vault and powerbi to fetch details at runtime.
Please advise ?
Power Automate has a great Azure Vault connector.
You could make a simple 3-action flow:
A post to that URL will json back the secret/credentials.
Now, here is the goofy part - hide that URL in a permissioned location (Onedrive, Sharepoint, etc). Have your pbi pickup from that location, using privileged credentials. Now the URL and the credentials get picked up at runtime, and neither is persisted in PBIX.
I am assuming that there is an available premium PAutomate env in which to spin up that flow, of course. But, given that you already have an azure vault, that seems like a standard PBI+ toolkit to have at that point.

want to push/pull data into/from SalesForce Accounts/leads from/to my external web app

I have my web application. Now i want to integrate salesforce into my web app so that i can push data from my app to any salesforce org after the authentication(OAuth).
I found 2 ways:
1. Connected Apps
2. via wsdl generation file and use
I created a connected app from my developer account and i authenticated using consumer key, cusumer secret key(from my connected app) and username of user and secret token of the user account.
I tried with another free trail account, It's validating and fetching the details and post data also working.
My question is, shall i deploy my connected app into app exchange, then only i caan use REST APIs ?
generating wsdl and coding around is the better option than the above ?
Is there a option, only one time authentication enough for any number of sessions and use the REST APIs?
Please suggest me a best way to proceed.
You're mixing up a couple of independent issues here.
If you're going to authenticate via OAuth, you must have a Connected App.
A SOAP API login() call requires you to store a username and password, which is undesirable.
There is no way to "permanently" authenticate, i.e., to get a session id that never expires. Your app must always be ready to get a new access token via the OAuth refresh token it obtains and stores (via, for example, the Web Server OAuth flow), or to reauthenticate via JWT flow.
Connected Apps are global metadata in most cases. You don't need to deploy a Connected App into a target org in order to authenticate using its Client Id and Secret into that org. The only exception I'm aware of is if you want to use the JWT flow with a certificate and preauthorized Profiles and Permission Sets.
Based on what you've shared, I don't see any reason for the AppExchange to be involved.

How to connect to SharePoint STS using WSTrustChannelFactory

In the context of a ASP.Net Web API service I am trying to connect to a SharePoint STS to read the security claims for a sharepoint user.
The user is authenticated to SharePoint 2013 using Forms based authentication.
I am on the same domain as the sharepoint site so I have access to the FedAuth cookie that sharepoint uses.
I am trying to use System.ServiceModel.Security.WSTrustChannelFactory to craft a Request for a Security Token but I am not sure what I should be using as the parameters for the WSTrustChannelFactory constructor.
I am looking for some validation that the approach I am attempting is reasonable one as well as just how I should be using the WSTrustChannelFactory.
Note:
The STS's address is available at http://localhost:32843/SecurityTokenServiceApplication/securitytoken.svc
Reading further on this I decided that I was trying to use the SharePoint STS in a way that it was not designed for (it is a relying party STS). Instead I implemented authentication using the Thinktecture Identity Server as an identity provider and authenticated both SharePoint and my Web API service using that.

Implementing web service security in Reporting Tools

I have a web reporting tool lets say Business Objects, Cognos, OBIEE, Crystal Reports. I want to display some data into the report which is coming from a Web Service. So i copy paste the Web service URL inside the report cell and i can access the data.
However this leaves a big security issue as i cannot authenticate the requestor. One thing which i can think of is checking the Http header request: referer property which is set by the reporting tool in my Web Service. This atleast ensures that the request has originated from my Reporting Application. Besides this i cannot see how i can authenticate a specific user.
Appending Username in the Web Service URL is also not an option because one report is used by many users. I would somehow want to access this specific user session and associate the web service request with this user session. Lets say both my Web Reporting tool and web service are running on the same Web Application Server. Is it possible to merge the Web Service Provider and my Reporting Application so that the session user name is available in the WebService ?

adding login function in custom salesforce webservice

I have a custom salesfoce webservice, but to access that webservice we need to login from salesforce enterprise wsdl. but i dont want to add that wsdl file. Is there any way to add login function on custom webservice or login with out that wsdl webservice???
Yes, see SOAP request to APEX webservice without requiring authentication.
go into the site detail page in setup, click Public Access Settings,
and then add the Apex Class there. This is effectively granting your
anonymous running user account (guest license) the ability to directly
access this class.
There are more detailed instructions at Public Web Services via Apex and Force.com Sites.
Note that your data exposed via this web service will no longer be secure.
As you mention, you need to authenticate, the login method is not included in the custom apex WSDL, you have lots of choices, depending on exactly what sort of app you're building.
Add either the enterprise or partner WSDL to your app and call login from there.
Use an interactive OAuth flow which will result in you getting an access token & instance Url, which you can then use with the apex WSDL.
Use a programamtic OAuth flow (username/password), again resulting in an access token * instance Url which you can then use with the apex WSDL.
if you have a web based app, you can create a custom link/tab in salesforce to pass you an existing serverUrl/sessionId info.
For the OAuth flows, you would pass the received access token in your apex requests as the sessionId (just like if you got it from login), and you would combine the host name from the instance URL with the path from the apex WSDL to set the endpoint URL of your stub.