Skip to main content
Solved

Sharepointonline connector - configuration for FME Server 2019.0

winthropemma
Contributor
Forum|alt.badge.img+1

Hello,

I am trying to setup my web service and a web connection for the Sharepoint online connector, and have downloaded the FME Hub package safe.microsoft-sharepoint-1.0.0.fpkg. I have successfully used the default values supplied with the package in my FME desktop environment, and have setup an FME process to use multiple actions from the sharepointonline connector - which will simplify my organisations workflow in this area greatly. However:

I need to configure this to run on FME Server 2019.0 and have registered an app on azure for FME, and have my client ID and client secret. I have updated the URL parameters in the webservice setup in FME to point to the tenant endpoints e.g. https://login.microsoftonline.com/<my tenant ID>/oauth2/v2.0/authorize.

I'm not sure what my redirect URI on the webservice setup page in FME is doing but I've set it to this:

https://login.microsoftonline.com/<my tenant ID>/oauth2/v2.0/authorize

Also, there is the ability to set a Redirect URI in the registered APP details in Azure, but I'm also not sure what to put there.

 

At the moment, this is the message I'm getting when attempting to authorise my web connection based on my current webservice setting for Microsoft Sharepoint Online - any help would be greatly appreciated:

----------------------------

Sorry, but we’re having trouble signing you in.

 

AADSTS165000: Invalid Request: The user session context is missing. Do not copy the user context values (cookies; form fields; headers) between different requests or user sessions; always maintain the ALL of the supplied values across a complete single user flow. Failure Reasons:[Missing session context cookie;Token values do not match;]

Best answer by jlutherthomas

Hi @winthropemma​ ,

 

I believe this is you're using FME 2019 and the app is configured as a Desktop App/Public Client (FME is a Desktop App).

 

I just published an article about connecting to Sharepoint Online using the Web connection which includes a note about this at the top. Basically, in earlier versions of FME than 2020 the Client Secret parameter has to have a value. In FME 2020+ this can be optional. Azure says that clients that cannot be trusted to keep a secret, such a desktop apps (FME), are called Public Clients. Apps that identify as a Public Client must never send a Client Secret, or else the server will reject it.

 

This can easily be tested in FME 2020+ by setting up the web service with a client secret but toggle optional checked/unchecked. Every time it is unchecked, the web service test fails and the web connection won't work.

 

I've also tried configuring my App Registration as a non Public Client and I get the same error as you.

I'd recommend upgrading to FME 2020, or see if you can accomplish your tasks using the Microsoft Sharepoint List Reader in 2019 using SAML without a web connection.

 

If anyone else has had success this way I'd be interested to know about it.

View original
Did this help you find an answer to your question?

10 replies

david_r
Evangelist
  • david_rEvangelist
  • August 31, 2020

Paging @gerhardatsafe​ ...

J
Forum|alt.badge.img+2
  • jlutherthomas
  • Best Answer
  • September 3, 2020

Hi @winthropemma​ ,

 

I believe this is you're using FME 2019 and the app is configured as a Desktop App/Public Client (FME is a Desktop App).

 

I just published an article about connecting to Sharepoint Online using the Web connection which includes a note about this at the top. Basically, in earlier versions of FME than 2020 the Client Secret parameter has to have a value. In FME 2020+ this can be optional. Azure says that clients that cannot be trusted to keep a secret, such a desktop apps (FME), are called Public Clients. Apps that identify as a Public Client must never send a Client Secret, or else the server will reject it.

 

This can easily be tested in FME 2020+ by setting up the web service with a client secret but toggle optional checked/unchecked. Every time it is unchecked, the web service test fails and the web connection won't work.

 

I've also tried configuring my App Registration as a non Public Client and I get the same error as you.

I'd recommend upgrading to FME 2020, or see if you can accomplish your tasks using the Microsoft Sharepoint List Reader in 2019 using SAML without a web connection.

 

If anyone else has had success this way I'd be interested to know about it.

J
Forum|alt.badge.img+2
david_r wrote:

Paging @gerhardatsafe​ ...

@david_r​ please feel free to tag me if you see any of these types of questions come through :)

Also as an FYI, I just published an article for using the web connection to connect to Sharepoint.

winthropemma
Contributor
Forum|alt.badge.img+1
  • winthropemmaContributor
  • Author
  • Contributor
  • September 4, 2020
jlutherthomas wrote:

Hi @winthropemma​ ,

 

I believe this is you're using FME 2019 and the app is configured as a Desktop App/Public Client (FME is a Desktop App).

 

I just published an article about connecting to Sharepoint Online using the Web connection which includes a note about this at the top. Basically, in earlier versions of FME than 2020 the Client Secret parameter has to have a value. In FME 2020+ this can be optional. Azure says that clients that cannot be trusted to keep a secret, such a desktop apps (FME), are called Public Clients. Apps that identify as a Public Client must never send a Client Secret, or else the server will reject it.

 

This can easily be tested in FME 2020+ by setting up the web service with a client secret but toggle optional checked/unchecked. Every time it is unchecked, the web service test fails and the web connection won't work.

 

I've also tried configuring my App Registration as a non Public Client and I get the same error as you.

I'd recommend upgrading to FME 2020, or see if you can accomplish your tasks using the Microsoft Sharepoint List Reader in 2019 using SAML without a web connection.

 

If anyone else has had success this way I'd be interested to know about it.

Thanks for this reply, which does help me understand it a bit more. We have got an upgrade to 2020 scheduled for this coming week so will try it again after that.

 

winthropemma
Contributor
Forum|alt.badge.img+1
  • winthropemmaContributor
  • Author
  • Contributor
  • September 9, 2020
winthropemma wrote:

Thanks for this reply, which does help me understand it a bit more. We have got an upgrade to 2020 scheduled for this coming week so will try it again after that.

 

HI @jlutherthomas​  - I've tried this now on FME Server 2020 and following your instructions I have set up and tested it successfully, thanks for your help!

J
Forum|alt.badge.img+2
winthropemma wrote:

Thanks for this reply, which does help me understand it a bit more. We have got an upgrade to 2020 scheduled for this coming week so will try it again after that.

 

@winthropemma​  Great - I'm glad it works 😃

winthropemma
Contributor
Forum|alt.badge.img+1
  • winthropemmaContributor
  • Author
  • Contributor
  • September 14, 2020
winthropemma wrote:

Thanks for this reply, which does help me understand it a bit more. We have got an upgrade to 2020 scheduled for this coming week so will try it again after that.

 

Hi again @jlutherthomas​ , I'd like to get a little more help here if possible - after initially working, my SharepointonlineConnector now gives token error messages such as:

SharepointOnlineConnector: Error making request to https://graph.microsoft.com/v1.0/sites/<mytenant>.sharepoint.com,144b7f4c-b3d2-486e-a99d-b3019e2ddf94,1cf9053d-f391-42cb-9d3c-00e7ab5bd06f: Access token validation failure. Invalid audience.

The workspace that I published initially to FME Server worked for half an hour then gave a token expired message. Now when trying to reinstate the setup in my desktop environment I'm getting the above message (I replaced my actual tenant value with <mytenant>).

I've gone back through the settings as per your article above (the Single-Tenant option) and I appear to have everything required.

I'm not sure why FME Desktop is mentioning the graph.microsoft.com V1 in this error message, that doesn't appear to be in any of the endpoints referred to in Azure by the registered app...

Any pointers greatly appreciated. 😃

 

J
Forum|alt.badge.img+2
winthropemma wrote:

Thanks for this reply, which does help me understand it a bit more. We have got an upgrade to 2020 scheduled for this coming week so will try it again after that.

 

Hi @winthropemma​ I can give you a couple of things to try, hopefully one of these works!

Off the top of my head, perhaps a couple of things to try:

  • In FME Options for your Sharepoint Web Service, do you see in the Authorization URL at the end is a scope query string? By default this is scope=https://<tenant>.sharepoint.com/.default offline_access&response_type=code&prompt=consent - I think you might need to add more scopes here. See the scope section of Step 2. You can get the scopes by clicking on each of the permissions in the portal. You want it space-delimited (but url encode it) so the scope might be something like this: scope=https://<tenant>.sharepoint.com/.default offline_access%20AllSites.Manage%20MyFiles.Write&response_type=code&prompt=consent

If that doesn't work (or FME Server still isn't happy) you could try:

  • Double check the endpoints in your sharepoint web service - do they definitely have /v2.0/ in the url?
  • Remove the Graph API permissions from the app that you've registered in AP (Azure Portal) - you'll have to re-auth your web connection after this because permissions have changed.
  • Try adding another redirect URI to the app registration in AP and set it to https://<yourFMEServer>/oauth
    • As you already have the app published to FME Server, in the Web UI go to Web Connections > Manage Services (top right) > find Sharepoint > update the redirect URI to https://<yourFMEServer>/oauth. Your FME Server might have to be public facing for this to work.
    • Go back to Web Connections > find your sharepoint web connection > try to authorize it on FME Server

 

Any changes to permissions in AP you'll need to re-auth your web connection.

Any changes to the web service in desktop you'll need to republish the connection to FME Server (make sure to check the box to re-publish the connection during the publish wizard)

 

Let me know how it goes and what worked so I can add notes to that Sharepoint article.

winthropemma
Contributor
Forum|alt.badge.img+1
  • winthropemmaContributor
  • Author
  • Contributor
  • October 9, 2020

Hello again @jlutherthomas​ ,

I am getting a similar error to the one I published in the post above, after trying out your suggestions and also retrying the new app registrations and web service and connection instructions from the start.

 

Creating the registered app, the new web service and web connections, plus applying this web connection to a sharepoint list reader, works great.

But my problem remains with using the web connection with the SharepointOnlineConnector, which gives this error (similar to the one in the post published above): "Error making request to https://graph.microsoft.com/v1.0/sites?$select=id,webUrl,name&search=: Access token validation failure. Invalid audience."

 

I did try changing the scope parameter in the authorization URL as suggested but got this error, so I went back to the original URL:

"Sorry, but we’re having trouble signing you in.

AADSTS70011: The provided request must include a 'scope' input parameter. The provided value for the input parameter 'scope' is not valid. The scope https://[tenant].sharepoint.com/.default AllSites.Manage MyFiles.Write is not valid. .default scope can't be combined with resource-specific scopes."

 

Another strange issue is that the Sharepoint Connector Transformer does not recognise web connections made on web services that do not have the name: "safe.microsoft-sharepoint.Microsoft SharePoint Online". This may be what is implied in the ReadMe of the Hub site: https://hub.safe.com/publishers/safe/packages/microsoft-sharepoint#readme

 

I'd like to hear about any success with the SharepointOnlineConnector using specific sharepoint client ids other than the default supplied, and whether additional steps might be required on top of those required for setting up the web connection for sharepoint list readers? What could be the issue if the sharepoint list reader works but the sharepoint online connector doesn't?

 

 

J
Forum|alt.badge.img+2
winthropemma wrote:

Hello again @jlutherthomas​ ,

I am getting a similar error to the one I published in the post above, after trying out your suggestions and also retrying the new app registrations and web service and connection instructions from the start.

 

Creating the registered app, the new web service and web connections, plus applying this web connection to a sharepoint list reader, works great.

But my problem remains with using the web connection with the SharepointOnlineConnector, which gives this error (similar to the one in the post published above): "Error making request to https://graph.microsoft.com/v1.0/sites?$select=id,webUrl,name&search=: Access token validation failure. Invalid audience."

 

I did try changing the scope parameter in the authorization URL as suggested but got this error, so I went back to the original URL:

"Sorry, but we’re having trouble signing you in.

AADSTS70011: The provided request must include a 'scope' input parameter. The provided value for the input parameter 'scope' is not valid. The scope https://[tenant].sharepoint.com/.default AllSites.Manage MyFiles.Write is not valid. .default scope can't be combined with resource-specific scopes."

 

Another strange issue is that the Sharepoint Connector Transformer does not recognise web connections made on web services that do not have the name: "safe.microsoft-sharepoint.Microsoft SharePoint Online". This may be what is implied in the ReadMe of the Hub site: https://hub.safe.com/publishers/safe/packages/microsoft-sharepoint#readme

 

I'd like to hear about any success with the SharepointOnlineConnector using specific sharepoint client ids other than the default supplied, and whether additional steps might be required on top of those required for setting up the web connection for sharepoint list readers? What could be the issue if the sharepoint list reader works but the sharepoint online connector doesn't?

 

 

Hi @winthropemma​ 

I just tidied up the articles now, so there's 2 different ones because the required application permissions are different. As you're using the SharePointOnlineConnector transformer you will need the MS Graph Sites API Permissions (the SharePoint reader/writer uses the SharePoint API, not MS Graph) check this article out instead.

If correcting the permissions in AP doesn't work, create a support case and we can get on a screen share session and figure things out.

 

There is currently an issue where you can't 'create from' or copy web services downloaded from the hub, so it's likely this issue extends into what you're finding with the naming convention.

Reply


Helpful Members This Week

Community Stats

30,985
Posts
117,434
Replies
38,764
Members

Latest FME

Terms & ConditionsCookie settings

Cookie policy

We use cookies to enhance and personalize your experience. If you accept you agree to our full cookie policy. Learn more about our cookies.

 
Cookie settings
A product of
Safe Software respectfully acknowledges that we live, learn and work on the traditional and unceded territories of the Kwantlen, Katzie, and Semiahmoo First Nations.