SharePoint OAuthAuthorize.aspx issue with contributors attempting to use on the fly authorisation

SharePoint 2013 online has a great new way of letting external web applications request authorization to read or update data on behalf of a user. You don’t even need an Office365 app, or anything; any web application will do.

Read this pretty great overview on MSDN.

In order to set this up, you basically just:

  • Create a new web application based on one of the many SharePoint app templates  (AppForSharePointWebToolkit is available using nuget … just get something that includes the magical TokenHelper.cs class);
  • Host your web application somewhere online, and make sure it is accessible over https.
  • Register an account using the Microsoft Seller dashboard
  • Generate a new ClientID and ClientSecret using the seller dashboard (you can’t use your own values here)
  • Go and stick the ClientID and ClientSecret values into AppSettings in your web application web.config

Right … so, if you don’t now how to do this, google it.

Anyway …

The issue is when you go to use TokenHelper.GetAuthorizationUrl to generate the URL which requests authorization for a given user on a site. MSDN documentation (and the implementation of the method) suggests that you need to include a “Scope” parameter, and that it will only succeed if the current user has the rights you are requesting.

This is all very well if you are an owner or site collection admin – most of the scopes will work for you: Web.Write, List.Read etc.

BUT … what happens when the current user happens to be a standard contributor, and some of your lists / folders happen to have unique permissions?

Unfortunately, none of these scopes will work … not Web.Read, List.Read … and there’s nothing lower than these. List.Read will only be granted if the current has the ability to Read all lists; something they clearly cannot do.

So – what’s the solution?

All the documentation I’ve come across seems to suggest that you must include this Scope parameter. But, it seems that you don’t actually need to.

So, you could just add something like this to TokenHelper.cs:

public static string GetAuthorizationUrlWithNoScope(string contextUrl)


            return string.Format(






This now works as expected, with standard contributors being able to authorize access to their SharePoint site. Queries across lists return only what they should see. They can upload files into folders they have permissions to.

Good times.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s