Connecting to Office365 SPSite with WindowsLogin/Single SignOn #32
Comments
|
Hey dgutman, |
|
Thanks for the quick reply! I will check out the response...
In my case, I don't actually have a password.... we can only log on now
using our PIV card...
So I wasn't sure if I just gave it name="", password="" it would still work?
I'm not at work now, so I'll have to play around in the morning...
On Wed, Nov 28, 2018 at 9:11 PM Bailey Townsend ***@***.***> wrote:
Hey dgutman,
I'm the guy who wrote the Office365 part of this. If i understand your
question right i think you're asking if a user domain account that is tied
to the same Office365 account can be used to authenticate? If that's the
case then yes. So if your Office365 users are synced with your activate
directory it will work fine(That was my use case). The whole it sending xml
to Microsoft was only way i could figure out at the time to get any kind of
Authentication to SharePoint online sites as that user. It hits Microsoft
servers to Authenticate the Microsoft/Office365 account returns a token
that you then hit your Online SharePoint site to use to create a cookie and
then that cookie is what finally authenticates you to the SharePoint site.
This is the article
<http://paulryan.com.au/2014/spo-remote-authentication-rest/> i used to
create this implementation. I hope this helps! If you have any questions
let me know. It has been a few months since i've looked at any of this but
i will gladly help out if i can.
—
You are receiving this because you authored the thread.
Reply to this email directly, view it on GitHub
<#32 (comment)>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/AArhzvOe1wrVii67NoDqmgTgKvP9Wxt7ks5uz0JegaJpZM4Y4xoR>
.
--
David A Gutman MD PhD
Assistant Professor of Neurology, Psychiatry & Biomedical Informatics
Emory University School of Medicine
Staff Physician, Mental Health Service Line
Atlanta VA Medical Center
|
|
Ahh! That makes sense. I did a bit of research on this, i am no longer in a System Admin role with access to admin on a already running Sharepoint site. So i wasn't able to test all of them. Here's a few different solutions you can try. I do not think this is something i personally have time to fully implement into Shareplum at this time though. But! I did find a few things for you to try. If it is just short term data move or something similar, something to be done in a couple of hours you can still use Shareplum. Will just have to go to your sharepoint site in the browser of your choice and manually grab the cookies. Then add them in share plum example below in Python 3 using http.cookiejar Set rtFa value to the rtFa cookie value from the browser and change abc.sharepoint.com to your company share point, do the same with FedAuth. And this should work for about 4 hours i think, give or take. Tedious but will get it done if it is just a server move or something similar. May even set a python script to harvest your local browser cookies and use them, or could set a script to open a browser to that site refresh the cookies of your browser of choice and use them. It's a hack for sure and not a pretty one, but it would work haha. If not and you have admin access or an admin can give access for you. You can create a authorize app in azure active directory that (more info). I would follow the directions from Vadim Gremyachev in this Stack OverFlow Question it seems like his Python Library can handle that. Example in that library. Other ones i found made my head spin and i gave up on them, honestly i had looked at doing 0auth first instead of username and password authentication but i settled on it cause it was an easier implementation and for most part did not need any other set up. For most part looks like there may be a way to use the authorize app in azure active directory to get a token from Office 365 api then use that, but i myself have not figured that one out. Going add a list of different things that may help you if the above do no. Good luck and i hope this helped some! |
|
So one of the snags is that my site uses SmartCard based authentication, adding another level of "fun". As an initial hack, I authenticated through chrome and grabbed the rtFA and FedAuth cookies... myCookies = { "rtFA" : SomeLongCookie", "FedAuth": myOtherLongCookie"} If i just hardcode my cookies and set self._session.cookes=myCookies I am able to get it to query my main site, using the credentials chrome authenticated through the Microsoft single sign on service. As a starting point, how could I use authcookie=myCookes so I could use the current API more closely (instead of hacking the code as per below). I tried just pushing authcookie={rtfa:"key1","FedAuth":"key2"} If instead, I try this: site =shareplum.Site("https://blah.sharepoint.com/",authcookie=myCookies, verify_ssl=False) Tried to pass a DICT to the authcookieC:\Users\VHAATGGutmaD\AppData\Local\Continuum\Anaconda2\lib\site-packages\requests\sessions.pyc in post(self, url, data, json, **kwargs) C:\Users\VHAATGGutmaD\AppData\Local\Continuum\Anaconda2\lib\site-packages\requests\sessions.pyc in request(self, method, url, params, data, headers, cookies, files, auth, timeout, allow_redirects, proxies, hooks, stream, verify, cert, json) C:\Users\VHAATGGutmaD\AppData\Local\Continuum\Anaconda2\lib\site-packages\requests\sessions.pyc in send(self, request, **kwargs) C:\Users\VHAATGGutmaD\AppData\Local\Continuum\Anaconda2\lib\site-packages\requests\cookies.pyc in extract_cookies_to_jar(jar, request, response) AttributeError: 'dict' object has no attribute 'extract_cookies' |
|
Yep! I had tried doing a dict as well didn't like that. It is expecting a "CookieJar". If you plug your rtFA and FedAuth values into where it says "rtFaValue" ,"FedAUthValue", and site where it says domain into my code example above using Http.cookiejar Python3 or Cookielib Python 2 into a cookie jar then past it as the authcookie parameter it should work perfectly for you, did for me last night when i tested it. Now for how long it'll keep you authenticated i do not know. Also if you wanted to get real crafty. Let's say you use Google Chrome, you can search the cookie sqlite db for the cookie values to automate it. But it needs to be put into a CookieJar for SharePlum authCookie to accept it. |
|
THanks! Even a 4 hour hack is good enough to get started---- I saw that
you were using CookieJar, and tried implementing my own very crappy one...
When I googled it I found the HTTP.cookiejar library, but didn't realize it
was python3 and not python 2.. and so it wasn't working.
I started googling cookiejar, but fortunately you responded quicker..
Thanks again!
On Fri, Nov 30, 2018 at 9:59 AM Bailey Townsend ***@***.***> wrote:
Yep! I had tried doing a dict as well didn't like that. It is expecting a
"CookieJar". If you plug your rtFA and FedAuth values into where it says
"rtFaValue" ,"FedAUth", and site where it says domain into my code example
above using Http.cookiejar Python3
<https://docs.python.org/3/library/http.cookiejar.html> or Cookielib
Python 2 <https://docs.python.org/2/library/cookielib.html> into a cookie
jar then past it as the authcookie parameter it should work perfectly for
you, did for me last night when i tested it. Now for how long it'll keep
you authenticated i do not know. Also if you wanted to get real crafty.
Let's say you use Google Chrome, you can search the cookie sqlite db for
the cookie values to automate it. But it needs to be put into a CookieJar
for SharePlum authCookie to accept it.
—
You are receiving this because you authored the thread.
Reply to this email directly, view it on GitHub
<#32 (comment)>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/AArhzmognYfhUNhEJcoLjMTkQ6hwACMgks5u0UfSgaJpZM4Y4xoR>
.
--
David A Gutman MD PhD
Assistant Professor of Neurology, Psychiatry & Biomedical Informatics
Emory University School of Medicine
Staff Physician, Mental Health Service Line
Atlanta VA Medical Center
|
|
Glad i was able to help out! Hope it all works out for you and good luck! |
|
Not sure if this is a related issue but I'm also trying to connect to a corporate Sharepoint site hosted on Office365 but I get the following error: SSLError: HTTPSConnectionPool(host='login.microsoftonline.com', port=443): Max retries exceeded with url: /extSTS.srf (Caused by SSLError(SSLError("bad handshake: SysCallError(104, 'ECONNRESET')",),)) |
|
@nekro9t2 Looks to be an error when making the call to Microsoft's servers. I found this and it may help. Looks like it may an issue with your version of request or it's dependencies? If you like you can post your code with user credenitals and site bleeped out and i can see if i can spot anything. |
|
Here's the code I'm using: from shareplum import Site authcookie = Office365('https://.sharepoint.com', username='', password='').GetCookies() |
|
I don't see anything unusual in what you have. It should work. May try from a different internet connection or i would try this? It looks to be one of SharePlums dependencies not SharePlum itself is causing the issue. |
were you able to get this working ? i am having a similar issue. i tired checking PyopenSSL with not much of a luck. If possible can you post the version of the same which is working for you ? |
|
It’s probably a special character in your password causing the issue. Can try this branch and it should have the patch in it or give you a better error. #52 |
|
@fatfingers23 Thanks for your workaround by getting cookie from browser manually which worked for me. In my case, "expires" value is 5 days (not 4 hrs), so it gives enough time to do something. Being behind firewall, I also set proxy before calling shareplum: |
|
Regarding the cookiejar approach, why don't you just use browser_cookie3 to grab your rtFa and FedAuth from your browser where you've recently authenticated w/ SharePoint server? I couldn't get SharePlum to work, but this approach worked for me to build headers and just use the REST API. I grab the cookies from my browser, build a header dictionary with those two token strings, then just use a regular requests.get call. |
|
Your way would work perfectly for someone who is using this library on their computer and use Sharepoint regularly. I'm glad you were able to find a solution that worked out for you. The reason I did it this was is cause there two reasons I choose this. The tokens have a 4 or 6 hour lifetime. After that you have to get a new one. Would not be an issue on computer you interact with Sharepoint daily. The second reason is if someone used this library on a server, an example would be with django. You're not going have a web browser on that server you're using to connect to Sharepoint. A side note Shareplum only uses SOAP endpoints to be able to support 2010 Sharepoint and newer versions. There are lots of new nicer ways to connect to Sharepoint now via the Rest api. Auth tokens would really be the best implementation here so the library never has to see your username and password. This may also be why it does not work for you, the admin may have Soap endpoints turned off. If you did wanted to post your exception you had with Shareplum I don't mind one bit looking at it and seeing If I have a solution. That is if you wanted to use the library. I wrote this feature a long time ago (in dev time) when I first started my journey writing code. This was actually my first ever merged PR. It's not the prettiest and I'm sure there are some bugs. |
|
Thanks for the explanation Bailey. This was mainly for @dgutman since it seemed easier than manually pulling rtFa and FedAUth from your browser cookies. I wasn't trying to suggest that this would be a viable long term solution, but just a way to make a workaround even easier. My org also uses SSO and I couldn't get any authentication method to work. requests-negotiate-sspi works on our on-premises instance of SP, but it wouldn't work on our O365 MS-hosted instance. I'll take some time next week to rerun the lines that was causing errors w/ SharePlum and post. I'd like to use SharePlum, but due to authentication issues, REST API might be an easier route. Thanks again. |
|
No need for the exception then! I think I know a solution. Just wanted to make sure you were able to access it and did not need any help. I have not worked/read through this library in a while. I believe they have added the Rest API. With that the office 365 authentication can be beefed up to modern standards and better adaption to SSO for office 365 use. I do not believe I will implementing that to this library, unless it was a sought out feature and a lot of people needed it. Too many irons and too many fires. But I will live some reference articles on it if anyone did see this and wanted to make a pr. I do believe for Auth tokens to work you need to register the application via Active Directory. |
I see there is support for Office365 based sharepoint sites-- my site just migrated to this recently... I had previously used SharePlum to authenticate using the below module to pass my windows credentials to the sharepoint site... The current Office365 class requires User/Pass, before I try and hack away at this, I was wondering if anyone has run into this scenario? I think I'd need to modify the Class to make username/password optional and if they are None, try and use the module... but it's a bit confusing as it seems I have to connect to a Microsoft Login server, grab a token, and then use that token for the rest of my "basic" Shareplum requests.... However the Office365 module seems to be posting an XML DOC, which I would also have to figure out how to modify to somehow inject whatever "stuff" that , so I have a feeling it's not going to be particularly simple..
https://github.com/brandond/requests-negotiate-sspi/blob/master/README.md
The text was updated successfully, but these errors were encountered: