SharePoint Online : Tokens and Mutli Factor Authentication in a WinForms App

Question

I have SharePoint online site that uses Multi Factor Authentication: I am presented with a login screen where I supply my username and password. After this I am taken to another popup where I can choose a second authentication method like Microsoft Authenticator, RSA Token, or Smartcard etc.

The idea behind my WinForm app is to also authenticate in the same way described above and once authenticated I will perform some actions on the SharePoint site (see WebFullUrl below) with my WinForm app. My knowledge is rather limited but I understand that I need to get a token before actually gaining access to the site. Please feel free to correct me where you can. :)

The biggest issue I am facing at the moment is for my app to get a token. This is my project until now.

using System.Security.Principal;
using System.Security;
using System.Diagnostics;
using PnP.Framework;
using Microsoft.SharePoint.Client;
using Microsoft.Graph;
using System.Globalization;
using Microsoft.Identity.Client;
using static System.Windows.Forms.VisualStyles.VisualStyleElement.TextBox;
using static System.Windows.Forms.VisualStyles.VisualStyleElement;
using static System.Formats.Asn1.AsnWriter;
using System.Windows.Interop;
using Microsoft.AspNetCore.Components;
using Microsoft.IdentityModel.Abstractions;

namespace AuthDemoWinForms
{
      public partial class MainForm : System.Windows.Forms.Form
      {
          private static readonly string[] scopesArray = ["User.Read", "Contacts.Read"];
          private static readonly string Username = "[email protected]";
          private static readonly string Password = "ThisIsMyPassword";
          private static readonly string AuthEndPoint = "https://login.microsoftonline.com/common/oauth2/token";
          private static readonly string ClientId = "00000003-0000-0ff1-ce00-000000000000";
          private static IPublicClientApplication? SharePointApplication = null;
          private static readonly string WebFullUrl = "https://domainname.sharepoint.com/teams/DEFILES/Shared%20Documents/Forms/AllItems.aspx";
    
          public MainForm()
          {
    
              InitializeComponent();
    
              SharePointApplication = PublicClientApplicationBuilder.Create(ClientId)
                  .WithDefaultRedirectUri()
                  .WithLogging(new IdentityLogger(EventLogLevel.Warning), enablePiiLogging: false)
                  .Build();
    
          }
    
          private void LoginButton_Click(object sender, EventArgs e)
          {
              if (SharePointApplication != null)
              {
                  Task<AuthenticationResult?> authenticationResultTask = GetTokenInteractively(SharePointApplication);
                  authenticationResultTask.Wait();
                  AuthenticationResult? authenticationResult = authenticationResultTask.Result;
                  OutputTextBox.Text = authenticationResult == null ? string.Empty : authenticationResult.Account.Username;
              }
          }
          private static async Task<AuthenticationResult?> GetTokenInteractively(IPublicClientApplication? publicClientApplication)
          {
              try
              {
                  return await publicClientApplication!.AcquireTokenInteractive(scopesArray)
                      .WithParentActivityOrWindow(new WindowInteropHelper(System.Windows.Application.Current.MainWindow))
                      .ExecuteAsync();
              }
              catch (Exception ex)
              {
                  Debug.WriteLine($"InnerException : {ex.InnerException}\nMessage : {ex.Message}\nStackTrace : {ex.StackTrace}");
                  return null;
              }
          }
          private static async Task<AuthenticationResult?> Login()
          {
              try
              {
    
              }
              catch (Exception ex)
              {
              }
              return null;
          }
      }
}

I have a question regarding .WithParentActivityOrWindow(new WindowInteropHelper(System.Windows.Application.Current.MainWindow)).

Will this present me with the Authentication Popup or do I need to still build a Dialogue that will handle this? Also, where and when do I need to enter my username and password?

As extra remark, it appears as if the Async Task doesn't finalise.

I am lost!

Answer 1

Initially, I registered one Azure AD application and granted SharePoint API permissions with admin consent:

Make sure to add redirect URI in Mobile and desktop applications platform and enable public client applications like this:

In my case, I used this GitHub sample by C Matkas and able to fetch access token to call SharePoint API with few changes in code.

Form1.cs:

using Microsoft.Identity.Client;
using System;
using System.Linq;
using System.Reflection.Emit;
using System.Security.Principal;
using System.Threading.Tasks;
using System.Windows.Forms;

namespace AuthDemoWinForms
{
    public partial class Form1 : Form
    {
        private static bool loggeIn = false;
        private static readonly string[] scopes = { "https://your_domain_name.sharepoint.com/.default" };

        public Form1()
        {
            InitializeComponent();
        }

        private string GetCurrentPrincipal()
        {
            var currentUser = WindowsIdentity.GetCurrent();
            return currentUser.Name;
        }

        private async void Button1_Click(object sender, EventArgs e)
        {
            if (!loggeIn)
            {
                // Windows Auth
                WindowsIdentity current = WindowsIdentity.GetCurrent();
                WindowsPrincipal windowsPrincipal = new WindowsPrincipal(current);
                label1.Text = windowsPrincipal.Identity.Name;

                AuthenticationResult authResult = await Program.PublicClientApp.AcquireTokenInteractive(scopes)
                    .ExecuteAsync();

                // Print username if available
                if (authResult?.Account != null)
                {
                    label4.Text = authResult.Account.Username;
                }
                else
                {
                    label4.Text = "Unknown";
                }

                // Print access token if available
                if (authResult != null && authResult.AccessToken != null)
                {
                    textBoxToken.Text = "Access Token: " + authResult.AccessToken;
                }
                else
                {
                    textBoxToken.Text = "Access Token: Not available";
                }

                button1.Text = "Log Out";
                loggeIn = true;
            }
            else
            {
                await Logout();
                button1.Text = "Log In";
                loggeIn = false;
                textBoxToken.Text = ""; // Clear access token when logging out
            }
        }

        private async Task<AuthenticationResult> Login()
        {
            AuthenticationResult authResult = null;
            var accounts = await Program.PublicClientApp.GetAccountsAsync();
            var firstAccount = accounts.FirstOrDefault();

            try
            {
                authResult = await Program.PublicClientApp.AcquireTokenSilent(scopes, firstAccount)
                    .ExecuteAsync();
            }
            catch (MsalUiRequiredException ex)
            {
                System.Diagnostics.Debug.WriteLine($"MsalUiRequiredException: {ex.Message}");

                try
                {
                    authResult = await Program.PublicClientApp.AcquireTokenInteractive(scopes)
                        .WithAccount(accounts.FirstOrDefault())
                        .WithPrompt(Prompt.SelectAccount)
                        .ExecuteAsync();
                }
                catch (MsalException msalex)
                {
                    label1.Text = $"Error Acquiring Token:{System.Environment.NewLine}{msalex}";
                }
            }
            catch (Exception ex)
            {
                label1.Text = $"Error Acquiring Token Silently:{System.Environment.NewLine}{ex}";
            }
            return authResult;
        }

        private async Task Logout()
        {
            var accounts = await Program.PublicClientApp.GetAccountsAsync();
            if (accounts.Any())
            {
                try
                {
                    await Program.PublicClientApp.RemoveAsync(accounts.FirstOrDefault());
                    this.label1.Text = "User has signed-out";
                    this.label4.Text = "User has signed-out";
                }
                catch (MsalException ex)
                {
                    throw new Exception($"Error signing-out user: {ex.Message}");
                }
            }
        }

        private void Form1_Load(object sender, EventArgs e)
        {

        }
    }
}

Form1.Designer.cs:

namespace AuthDemoWinForms
{
    partial class Form1
    {
        private System.ComponentModel.IContainer components = null;

        protected override void Dispose(bool disposing)
        {
            if (disposing && (components != null))
            {
                components.Dispose();
            }
            base.Dispose(disposing);
        }

        private void InitializeComponent()
        {
            this.label1 = new System.Windows.Forms.Label();
            this.label2 = new System.Windows.Forms.Label();
            this.button1 = new System.Windows.Forms.Button();
            this.label4 = new System.Windows.Forms.Label();
            this.label5 = new System.Windows.Forms.Label();
            this.textBoxToken = new System.Windows.Forms.TextBox(); 
            this.SuspendLayout();
            // 
            // label1
            // 
            this.label1.AutoSize = true;
            this.label1.Location = new System.Drawing.Point(145, 34);
            this.label1.Name = "label1";
            this.label1.Size = new System.Drawing.Size(62, 13);
            this.label1.TabIndex = 0;
            this.label1.Text = "Anonymous";
            // 
            // label2
            // 
            this.label2.AutoSize = true;
            this.label2.Location = new System.Drawing.Point(23, 34);
            this.label2.Name = "label2";
            this.label2.Size = new System.Drawing.Size(116, 13);
            this.label2.TabIndex = 1;
            this.label2.Text = "Current Windows User:";
            // 
            // button1
            // 
            this.button1.BackColor = System.Drawing.Color.SkyBlue;
            this.button1.Location = new System.Drawing.Point(26, 103);
            this.button1.Name = "button1";
            this.button1.Size = new System.Drawing.Size(129, 23);
            this.button1.TabIndex = 2;
            this.button1.Text = "Login";
            this.button1.UseVisualStyleBackColor = false;
            this.button1.Click += new System.EventHandler(this.Button1_Click);
            // 
            // label4
            // 
            this.label4.AutoSize = true;
            this.label4.Location = new System.Drawing.Point(145, 63);
            this.label4.Name = "label4";
            this.label4.Size = new System.Drawing.Size(62, 13);
            this.label4.TabIndex = 4;
            this.label4.Text = "Anonymous";
            // 
            // label5
            // 
            this.label5.AutoSize = true;
            this.label5.Location = new System.Drawing.Point(23, 63);
            this.label5.Name = "label5";
            this.label5.Size = new System.Drawing.Size(90, 13);
            this.label5.TabIndex = 5;
            this.label5.Text = "Current Azure AD User: ";
            // 
            // textBoxToken
            // 
            this.textBoxToken.Location = new System.Drawing.Point(26, 143);
            this.textBoxToken.Multiline = true;
            this.textBoxToken.Name = "textBoxToken";
            this.textBoxToken.ReadOnly = true;
            this.textBoxToken.ScrollBars = System.Windows.Forms.ScrollBars.Vertical;
            this.textBoxToken.Size = new System.Drawing.Size(300, 100); // Adjust size as needed
            this.textBoxToken.TabIndex = 6;
            // 
            // Form1
            // 
            this.AutoScaleDimensions = new System.Drawing.SizeF(6F, 13F);
            this.AutoScaleMode = System.Windows.Forms.AutoScaleMode.Font;
            this.ClientSize = new System.Drawing.Size(800, 450);
            this.Controls.Add(this.textBoxToken);
            this.Controls.Add(this.label5);
            this.Controls.Add(this.label4);
            this.Controls.Add(this.button1);
            this.Controls.Add(this.label2);
            this.Controls.Add(this.label1);
            this.Name = "Form1";
            this.Text = "Form1";
            this.Load += new System.EventHandler(this.Form1_Load);
            this.ResumeLayout(false);
            this.PerformLayout();

        }

        #endregion

        private System.Windows.Forms.Label label1;
        private System.Windows.Forms.Label label2;
        private System.Windows.Forms.Button button1;
        private System.Windows.Forms.Label label4;
        private System.Windows.Forms.Label label5;
        private System.Windows.Forms.TextBox textBoxToken; 
    }
}

When I ran the WinForms application and clicked on Login button, pop-up window appeared to sign in like this:

If MFA is enabled for user, it will ask for two-factor authentication based on configured method:

After successful authentication, it displayed below screen with signed-in Azure AD username, along with access token value:

To confirm that, you can decode the access token by pasting it in jwt.ms website and check aud & scp claims to validate permissions:

I have one SharePoint site named sritestsite10 with below files in Shared Documents folder:

When I used generated token to call SharePoint API in Postman with below query, I got response with files details successfully like this:

GET https://domain_name.sharepoint.com/sites/sritestsite10/_api/web/GetFolderByServerRelativeUrl('Shared Documents')/Files

Response:

Reference: Modern authentication with Azure AD for WinForms (native) apps (cmatskas.com) by C Matkas