Hi @winthropemma ,
I believe this is you're using FME 2019 and the app is configured as a Desktop App/Public Client (FME is a Desktop App).
I just published an article about connecting to Sharepoint Online using the Web connection which includes a note about this at the top. Basically, in earlier versions of FME than 2020 the Client Secret parameter has to have a value. In FME 2020+ this can be optional. Azure says that clients that cannot be trusted to keep a secret, such a desktop apps (FME), are called Public Clients. Apps that identify as a Public Client must never send a Client Secret, or else the server will reject it.
This can easily be tested in FME 2020+ by setting up the web service with a client secret but toggle optional checked/unchecked. Every time it is unchecked, the web service test fails and the web connection won't work.
I've also tried configuring my App Registration as a non Public Client and I get the same error as you.
I'd recommend upgrading to FME 2020, or see if you can accomplish your tasks using the Microsoft Sharepoint List Reader in 2019 using SAML without a web connection.
If anyone else has had success this way I'd be interested to know about it.
@david_r please feel free to tag me if you see any of these types of questions come through :)
Also as an FYI, I just published an article for using the web connection to connect to Sharepoint.
Hi @winthropemma ,
I believe this is you're using FME 2019 and the app is configured as a Desktop App/Public Client (FME is a Desktop App).
I just published an article about connecting to Sharepoint Online using the Web connection which includes a note about this at the top. Basically, in earlier versions of FME than 2020 the Client Secret parameter has to have a value. In FME 2020+ this can be optional. Azure says that clients that cannot be trusted to keep a secret, such a desktop apps (FME), are called Public Clients. Apps that identify as a Public Client must never send a Client Secret, or else the server will reject it.
This can easily be tested in FME 2020+ by setting up the web service with a client secret but toggle optional checked/unchecked. Every time it is unchecked, the web service test fails and the web connection won't work.
I've also tried configuring my App Registration as a non Public Client and I get the same error as you.
I'd recommend upgrading to FME 2020, or see if you can accomplish your tasks using the Microsoft Sharepoint List Reader in 2019 using SAML without a web connection.
If anyone else has had success this way I'd be interested to know about it.
Thanks for this reply, which does help me understand it a bit more. We have got an upgrade to 2020 scheduled for this coming week so will try it again after that.
Thanks for this reply, which does help me understand it a bit more. We have got an upgrade to 2020 scheduled for this coming week so will try it again after that.
HI @jlutherthomas - I've tried this now on FME Server 2020 and following your instructions I have set up and tested it successfully, thanks for your help!
Thanks for this reply, which does help me understand it a bit more. We have got an upgrade to 2020 scheduled for this coming week so will try it again after that.
@winthropemma Great - I'm glad it works 😃
Thanks for this reply, which does help me understand it a bit more. We have got an upgrade to 2020 scheduled for this coming week so will try it again after that.
Hi again @jlutherthomas , I'd like to get a little more help here if possible - after initially working, my SharepointonlineConnector now gives token error messages such as:
SharepointOnlineConnector: Error making request to https://graph.microsoft.com/v1.0/sites/<mytenant>.sharepoint.com,144b7f4c-b3d2-486e-a99d-b3019e2ddf94,1cf9053d-f391-42cb-9d3c-00e7ab5bd06f: Access token validation failure. Invalid audience.
The workspace that I published initially to FME Server worked for half an hour then gave a token expired message. Now when trying to reinstate the setup in my desktop environment I'm getting the above message (I replaced my actual tenant value with <mytenant>).
I've gone back through the settings as per your article above (the Single-Tenant option) and I appear to have everything required.
I'm not sure why FME Desktop is mentioning the graph.microsoft.com V1 in this error message, that doesn't appear to be in any of the endpoints referred to in Azure by the registered app...
Any pointers greatly appreciated. 😃
Thanks for this reply, which does help me understand it a bit more. We have got an upgrade to 2020 scheduled for this coming week so will try it again after that.
Hi @winthropemma I can give you a couple of things to try, hopefully one of these works!
Off the top of my head, perhaps a couple of things to try:
- In FME Options for your Sharepoint Web Service, do you see in the Authorization URL at the end is a scope query string? By default this is scope=https://<tenant>.sharepoint.com/.default offline_access&response_type=code&prompt=consent - I think you might need to add more scopes here. See the scope section of Step 2. You can get the scopes by clicking on each of the permissions in the portal. You want it space-delimited (but url encode it) so the scope might be something like this: scope=https://<tenant>.sharepoint.com/.default offline_access%20AllSites.Manage%20MyFiles.Write&response_type=code&prompt=consent
If that doesn't work (or FME Server still isn't happy) you could try:
- Double check the endpoints in your sharepoint web service - do they definitely have /v2.0/ in the url?
- Remove the Graph API permissions from the app that you've registered in AP (Azure Portal) - you'll have to re-auth your web connection after this because permissions have changed.
- Try adding another redirect URI to the app registration in AP and set it to https://<yourFMEServer>/oauth
- As you already have the app published to FME Server, in the Web UI go to Web Connections > Manage Services (top right) > find Sharepoint > update the redirect URI to https://<yourFMEServer>/oauth. Your FME Server might have to be public facing for this to work.
- Go back to Web Connections > find your sharepoint web connection > try to authorize it on FME Server
Any changes to permissions in AP you'll need to re-auth your web connection.
Any changes to the web service in desktop you'll need to republish the connection to FME Server (make sure to check the box to re-publish the connection during the publish wizard)
Let me know how it goes and what worked so I can add notes to that Sharepoint article.
Hello again @jlutherthomas ,
I am getting a similar error to the one I published in the post above, after trying out your suggestions and also retrying the new app registrations and web service and connection instructions from the start.
Creating the registered app, the new web service and web connections, plus applying this web connection to a sharepoint list reader, works great.
But my problem remains with using the web connection with the SharepointOnlineConnector, which gives this error (similar to the one in the post published above): "Error making request to https://graph.microsoft.com/v1.0/sites?$select=id,webUrl,name&search=: Access token validation failure. Invalid audience."
I did try changing the scope parameter in the authorization URL as suggested but got this error, so I went back to the original URL:
"Sorry, but we’re having trouble signing you in.
AADSTS70011: The provided request must include a 'scope' input parameter. The provided value for the input parameter 'scope' is not valid. The scope https://:tenant].sharepoint.com/.default AllSites.Manage MyFiles.Write is not valid. .default scope can't be combined with resource-specific scopes."
Another strange issue is that the Sharepoint Connector Transformer does not recognise web connections made on web services that do not have the name: "safe.microsoft-sharepoint.Microsoft SharePoint Online". This may be what is implied in the ReadMe of the Hub site: https://hub.safe.com/publishers/safe/packages/microsoft-sharepoint#readme
I'd like to hear about any success with the SharepointOnlineConnector using specific sharepoint client ids other than the default supplied, and whether additional steps might be required on top of those required for setting up the web connection for sharepoint list readers? What could be the issue if the sharepoint list reader works but the sharepoint online connector doesn't?
Hello again @jlutherthomas ,
I am getting a similar error to the one I published in the post above, after trying out your suggestions and also retrying the new app registrations and web service and connection instructions from the start.
Creating the registered app, the new web service and web connections, plus applying this web connection to a sharepoint list reader, works great.
But my problem remains with using the web connection with the SharepointOnlineConnector, which gives this error (similar to the one in the post published above): "Error making request to https://graph.microsoft.com/v1.0/sites?$select=id,webUrl,name&search=: Access token validation failure. Invalid audience."
I did try changing the scope parameter in the authorization URL as suggested but got this error, so I went back to the original URL:
"Sorry, but we’re having trouble signing you in.
AADSTS70011: The provided request must include a 'scope' input parameter. The provided value for the input parameter 'scope' is not valid. The scope https://:tenant].sharepoint.com/.default AllSites.Manage MyFiles.Write is not valid. .default scope can't be combined with resource-specific scopes."
Another strange issue is that the Sharepoint Connector Transformer does not recognise web connections made on web services that do not have the name: "safe.microsoft-sharepoint.Microsoft SharePoint Online". This may be what is implied in the ReadMe of the Hub site: https://hub.safe.com/publishers/safe/packages/microsoft-sharepoint#readme
I'd like to hear about any success with the SharepointOnlineConnector using specific sharepoint client ids other than the default supplied, and whether additional steps might be required on top of those required for setting up the web connection for sharepoint list readers? What could be the issue if the sharepoint list reader works but the sharepoint online connector doesn't?
Hi @winthropemma
I just tidied up the articles now, so there's 2 different ones because the required application permissions are different. As you're using the SharePointOnlineConnector transformer you will need the MS Graph Sites API Permissions (the SharePoint reader/writer uses the SharePoint API, not MS Graph) check this article out instead.
If correcting the permissions in AP doesn't work, create a support case and we can get on a screen share session and figure things out.
There is currently an issue where you can't 'create from' or copy web services downloaded from the hub, so it's likely this issue extends into what you're finding with the naming convention.