Sharepoint 365 ACS OAuth in Objective-C: realm error - Help Needed

Question

Okay, so we are building an iPhone app to hit a Sharepoint 2013 site that is hosted on Office 365. If I were building this in C#, which I've already done, I would have the luxury of just using TokenHelper.cs to get me most of the way there. Unfortunately, as far as I know, there is no TokenHelper for Objective-C yet.

So here's the deal, we can already successfully get the OAuth authentication/authorization page to come up and we successfully get an Authorization Code back.

After this point we were stumped for a bit because we knew that we were missing the realm id in the POST for obtaining our Access and Refresh tokens. I finally figured out how TokenHelper does this and we've duplicated that. (This was an additional call to /_vti_bin/client.svc where you expect to get a 401 so that you can pull the realm id out of the header)

We now have a realm id that, from what I've read in documentation and TokenHelper and seen in Fiddler, needs to then get used in the following 2 ways: within the URL construction for the POST as well as for the resource value in the header for that POST.

So the POST url looks like this:

accounts.accesscontrol.windows.net/{realm id}/tokens/oauth/2

Our resource value looks like this:

resource=00000003-0000-0ff1-ce00-000000000000%2f{realm url}%40{realm id}

This at least connects fine and accepts our POST. Unfortunately, we are getting the following message back:

ACS50012: Authentication failed. ACS90011: The realm '' is not a configured realm of the current service namespace.

This message makes me think that there may be a configuration issue, but I really can't be sure.

Has anyone else tried performing OAuth against a 365 site yet within Objective-C and had success?

I can post code as well, but I was trying to shy away from that initially.

Answer 1

I recently came across the same problem and have a feeling it may be the same issue you are seeing.

The correct POST request for OAuth is as follows:

POST https://accounts.accesscontrol.windows.net/<REALM_GUID>/tokens/OAuth/2
x-www-form-urlencoded params:
grant_type:authorization_code
client_id:<CLIENT_ID>@<REALM_GUID>
client_secret:<CLIENT_SECRET>
code:<AUTH_CODE>
redirect_uri:<REDIRECT_URI>
resource:00000003-0000-0ff1-ce00-000000000000/<SHAREPOINT_AUTHORITY>@<REALM_GUID>

The major gotcha for me was that the value of the "client_id" required the realm id appended to the client id. Not including the realm id will throw an "ACS90011: The realm '' is not a configured realm of the current service namespace."

HTH