We have a use case in our corporation in which ROPC is deemed secure in which we upload a file to a sharepoint folder. The user has been granted the contributor role. When we log onto sharepoint as the user, she can upload a file.
However, when we try to do the same through our application, we are getting 403 forbidden. Looking at the token we get through ROPC, I see the following:
Files.ReadWrite User.Read profile openid email
Why are we then getting 403 Forbidden when we try to upload the file?
A few more pieces of info:
Consent has been granted by the Administrator for the Delegated permission of Files.ReadWrite
.
Application Manifest has allowPublicClient
set to true
.
In testing this use case, we were able to retrieve a user profile without problem, but for some reason the Files.ReadWrite
says not authorized although the user can upload a file no problem from within Sharepoint.
Screenshot of API Permissions:
Failing Request:
POST /v1.0/sites/92a99e5f-bb3e-4588-9461-d640b59d52e2/drives/b!X56pkj67iEWUYdZAtZ1S4hDhiQyamFVEj8y19ROdYOKYReOmD1sXSoDAvyFjD733/root:/Miriams%20Folder/FMW%20Management%20EM12c.pptx:/microsoft.graph.createUploadSession HTTP/1.1
SdkVersion: graph-java/v2.4.1
Authorization: Bearer eyJ0eXAiOiJKV1QiLCJub25jZSI6InJNckJTQlBjNnlWZmVGVVZpbXhkYXEwdUpPMDNPQTFIWnZQQ01mV21uLUEiLCJhbGciOiJSUzI1NiIsIng1dCI6ImtnMkxZczJUMENUaklmajRydDZKSXluZW4zOCIsImtpZCI6ImtnMkxZczJUMENUaklmajRydDZKSXluZW4zOCJ9.eyJhdWQiOiJodHRwczovL2dyYXBoLm1pY3Jvc29mdC5jb20iLCJpc3MiOiJodHRwczovL3N0cy53aW5kb3dzLm5ldC83Y2I5M2QyOS0yZGRkLTQ5NDAtYTVjMC05NWM1MzY3NjJkOTAvIiwiaWF0IjoxNjA3MzU2NDk1LCJuYmYiOjE2MDczNTY0OTUsImV4cCI6MTYwNzM2MDM5NSwiYWNjdCI6MCwiYWNyIjoiMSIsImFjcnMiOlsidXJuOnVzZXI6cmVnaXN0ZXJzZWN1cml0eWluZm8iLCJ1cm46bWljcm9zb2Z0OnJlcTEiLCJ1cm46bWljcm9zb2Z0OnJlcTIiLCJ1cm46bWljcm9zb2Z0OnJlcTMiLCJjMSIsImMyIiwiYzMiLCJjNCIsImM1IiwiYzYiLCJjNyIsImM4IiwiYzkiLCJjMTAiLCJjMTEiLCJjMTIiLCJjMTMiLCJjMTQiLCJjMTUiLCJjMTYiLCJjMTciLCJjMTgiLCJjMTkiLCJjMjAiLCJjMjEiLCJjMjIiLCJjMjMiLCJjMjQiLCJjMjUiXSwiYWlvIjoiQVNRQTIvOFJBQUFBdUUvM3BaZjlXbE8ySWlaVkJlbzBURDFXK2VWR3o1RHN1YWNYRHF5VTU3WT0iLCJhbXIiOlsicHdkIl0sImFwcF9kaXNwbGF5bmFtZSI6ImFjY2VzcyBsZWVzIGZvbGRlciIsImFwcGlkIjoiOTkzNjQzNzktNDVhMC00ZGZhLTlkOTQtZDlhNDEwNTJjZDFjIiwiYXBwaWRhY3IiOiIwIiwiZmFtaWx5X25hbWUiOiJHcmFoYW0iLCJnaXZlbl9uYW1lIjoiTWlyaWFtIiwiaWR0eXAiOiJ1c2VyIiwiaXBhZGRyIjoiMjE2Ljk5LjE4MC4xNjMiLCJuYW1lIjoiTWlyaWFtIEdyYWhhbSIsIm9pZCI6IjZjODJiY2E3LTE5NjAtNGM1MS1iNjFjLWE3NDg3MTYyM2Y5ZiIsInBsYXRmIjoiMTQiLCJwdWlkIjoiMTAwMzIwMDBGMTZFRkNCRSIsInJoIjoiMC5BQUFBS1QyNWZOMHRRRW1sd0pYRk5uWXRrSGxETnBtZ1JmcE5uWlRacEJCU3pSeDFBTzAuIiwic2NwIjoiRmlsZXMuUmVhZFdyaXRlIG9wZW5pZCBwcm9maWxlIFJvbGVNYW5hZ2VtZW50LlJlYWQuQWxsIFJvbGVNYW5hZ2VtZW50LlJlYWQuRGlyZWN0b3J5IFVzZXIuUmVhZCBlbWFpbCIsInN1YiI6Im1MdTA4WFczc0RmNlF1c0lxZmVtRjViUUdySDlGYkRzQ0JLZ2w1RnljcXMiLCJ0ZW5hbnRfcmVnaW9uX3Njb3BlIjoiTkEiLCJ0aWQiOiI3Y2I5M2QyOS0yZGRkLTQ5NDAtYTVjMC05NWM1MzY3NjJkOTAiLCJ1bmlxdWVfbmFtZSI6Ik1pcmlhbUdAdDg3N3NyZi5vbm1pY3Jvc29mdC5jb20iLCJ1cG4iOiJNaXJpYW1HQHQ4NzdzcmYub25taWNyb3NvZnQuY29tIiwidXRpIjoiR3U5V2FfalRORXFHSUJrdS0xaTlBQSIsInZlciI6IjEuMCIsIndpZHMiOlsiYjc5ZmJmNGQtM2VmOS00Njg5LTgxNDMtNzZiMTk0ZTg1NTA5Il0sInhtc19zdCI6eyJzdWIiOiJDQTFnQkttVU9nLVplc3otMEFmOWF1VVFHOHY0a283MlNoVGp1eEFlSjFNIn0sInhtc190Y2R0IjoxNjAzNzI3NjA4fQ.x5xY4qWUKQdYNOwlj0GWP0f8ICT10ojCQ1CKUoffDYm2W5FGKUMOZPx11dhZv6W2ye1Tm0v3Yd6lMm9nWOkXf5LhILLmLptX1SCA7K0fQ-ttgZRhFrtPf3_sEycaTDMTSIS4WtoDlQ1Z3kjv17F0N56cxWnmZli9YFPJCD54YZZingBzfZI4pd96XvuE9aVaZiB1P92kg7veMIjYczgvDgMijtTSnVgzzF06Uip0eRG5oQhnmz1VwLG2djJFPeu6Xm2zvsIF4-FTxDzEmjq-JQVo2GupAUVxVtUyZyrEsGupu763gpEfOvkgusKPnByZdPXGA1cPksosAA0fe4kbnA
Accept: */*
SdkVersion: graph-java-core/v1.0.5 (featureUsage=0) java/1.8.0_131
client-request-id: edea4a1e-b722-4980-a688-ce1699af69bd
Content-Type: application/json
Content-Length: 11
Host: graph.microsoft.com
Connection: Keep-Alive
Accept-Encoding: gzip
User-Agent: okhttp/4.10.0-RC1
Failing Response (ROPC):
HTTP/1.1 403 Forbidden
Cache-Control: private
Content-Type: application/json
request-id: f00286fd-5ae6-488e-afd6-475ae7846906
client-request-id: edea4a1e-b722-4980-a688-ce1699af69bd
x-ms-ags-diagnostic: {"ServerInfo":{"DataCenter":"North Central US","Slice":"SliceC","Ring":"2","ScaleUnit":"000","RoleInstance":"AGSFE_IN_71"}}
Strict-Transport-Security: max-age=31536000
Date: Mon, 07 Dec 2020 15:59:59 GMT
Content-Length: 279
Successful Request (client_credentials)
POST /v1.0/sites/92a99e5f-bb3e-4588-9461-d640b59d52e2/drives/b!X56pkj67iEWUYdZAtZ1S4hDhiQyamFVEj8y19ROdYOKYReOmD1sXSoDAvyFjD733/root:/Miriams%20Folder/FMW%20Management%20EM12c.pptx:/microsoft.graph.createUploadSession HTTP/1.1
SdkVersion: graph-java/v2.4.1
Authorization: Bearer eyJ0eXAiOiJKV1QiLCJub25jZSI6Imp0M3ZlaW5pVkZPZTc1R0I5RG40Uk0ydEJlWTRkUEZOYTFiaDQwR1RFMmMiLCJhbGciOiJSUzI1NiIsIng1dCI6ImtnMkxZczJUMENUaklmajRydDZKSXluZW4zOCIsImtpZCI6ImtnMkxZczJUMENUaklmajRydDZKSXluZW4zOCJ9.eyJhdWQiOiJodHRwczovL2dyYXBoLm1pY3Jvc29mdC5jb20iLCJpc3MiOiJodHRwczovL3N0cy53aW5kb3dzLm5ldC83Y2I5M2QyOS0yZGRkLTQ5NDAtYTVjMC05NWM1MzY3NjJkOTAvIiwiaWF0IjoxNjA3MzcyMDQxLCJuYmYiOjE2MDczNzIwNDEsImV4cCI6MTYwNzM3NTk0MSwiYWlvIjoiRTJSZ1lIZ2hFR1ZwODBpdXhmcFl2V3ZYa1Y4YUFBPT0iLCJhcHBfZGlzcGxheW5hbWUiOiJhY2Nlc3MgbGVlcyBmb2xkZXIiLCJhcHBpZCI6Ijk5MzY0Mzc5LTQ1YTAtNGRmYS05ZDk0LWQ5YTQxMDUyY2QxYyIsImFwcGlkYWNyIjoiMSIsImlkcCI6Imh0dHBzOi8vc3RzLndpbmRvd3MubmV0LzdjYjkzZDI5LTJkZGQtNDk0MC1hNWMwLTk1YzUzNjc2MmQ5MC8iLCJpZHR5cCI6ImFwcCIsIm9pZCI6IjllNWIzYzM1LWNjYzAtNDk5Zi04NjExLTA2Yjc2MmM0NzNlYiIsInJoIjoiMC5BQUFBS1QyNWZOMHRRRW1sd0pYRk5uWXRrSGxETnBtZ1JmcE5uWlRacEJCU3pSeDFBQUEuIiwicm9sZXMiOlsiU2l0ZXMuUmVhZFdyaXRlLkFsbCIsIkZpbGVzLlJlYWRXcml0ZS5BbGwiLCJVc2VyLlJlYWQuQWxsIl0sInN1YiI6IjllNWIzYzM1LWNjYzAtNDk5Zi04NjExLTA2Yjc2MmM0NzNlYiIsInRlbmFudF9yZWdpb25fc2NvcGUiOiJOQSIsInRpZCI6IjdjYjkzZDI5LTJkZGQtNDk0MC1hNWMwLTk1YzUzNjc2MmQ5MCIsInV0aSI6Ilg3aTdIa1N3VGttal9jMW5zbWNYQUEiLCJ2ZXIiOiIxLjAiLCJ4bXNfdGNkdCI6MTYwMzcyNzYwOH0.AIj32kpkwVZiU6OM038yb4m7KQkQZ65PYSYGgS0M_ONhymtxhq7c1XAY-oTTw6jSyApb7d8lI37er-Qi9f47KXvhfEZlrpG0lX4ZOBcuqbPQagOTETT6Tn6FI5LKtIRm7SP2rICNUNzLuXip5D3_3i4Oil0AENQfu4eLjXr6YA5yIfjp4JUx_Ylh8eV9B0QM-na2BZLdrI3RfM0SY2ifFArxcWKQoaNUDinHYE952Wb5-SdgiX16Bi5-dN6LJiIhu4kScn3pHVbbpunBbk7aDTaPaqFeO7uuLycPIIkbu7vStTVX0mmRUXeg2wL6bU9tWo5YT5X93hi7oMYpoyQkNg
Accept: */*
SdkVersion: graph-java-core/v1.0.5 (featureUsage=0) java/1.8.0_131
client-request-id: 147bd003-d380-49ec-aa5a-6f18adef0021
Content-Type: application/json
Content-Length: 11
Host: graph.microsoft.com
Connection: Keep-Alive
Accept-Encoding: gzip
User-Agent: okhttp/4.10.0-RC1
Successful Response (client_credentials)
HTTP/1.1 200 OK
Cache-Control: private
Content-Type: application/json;odata.metadata=minimal;odata.streaming=true;IEEE754Compatible=false;charset=utf-8
Location: https://graph.microsoft.com
Vary: Accept-Encoding
request-id: bc409fcf-f957-4477-8e02-05d06f4724f1
client-request-id: 147bd003-d380-49ec-aa5a-6f18adef0021
x-ms-ags-diagnostic: {"ServerInfo":{"DataCenter":"North Central US","Slice":"SliceC","Ring":"3","ScaleUnit":"002","RoleInstance":"AGSFE_IN_12"}}
OData-Version: 4.0
Strict-Transport-Security: max-age=31536000
Date: Mon, 07 Dec 2020 20:19:04 GMT
Content-Length: 1473
FOR SUCCESSFUL RUN, this is followed by
CONNECT t877srf.sharepoint.com:443 HTTP/1.1
Host: t877srf.sharepoint.com:443
Connection: Keep-Alive
User-Agent: okhttp/4.10.0-RC1
Plus all the chunking
Issue encountered was due to the simple fact that the folder we are uploading to is not the root folder. For root Folder, Files.ReadWrite is sufficient; for other folders the permission Files.ReadWrite.All is required.