Making a REST call to the Office 365 Files API

In this post, I'll show how to make a REST call to the Office 365 Files API.

Note: There is a good article written by Matthias Leibmann, Program Manager on the Exchange team at Microsoft, on using OAuth to access Calendar, Contact and Mail API in Office 365.

It's not as easy as doing a "GET" request to a single endpoint. You first have to go through the Oauth flow, of course, because you want to get meaningful user data.

I'm using Advanced REST client, an app for Chrome that you can obtain in the Chrome Web Store.

It seems that a lot of people who develop on Windows use Fiddler, but I find it overly complicated and too heavy for this purpose. Advanced REST client is really lightweight and focuses on making REST requests and seeing responses. If you want more, check out Fiddler.

1. Assuming you have already registered your application with Azure (a post on how to do this will be coming up soon), you can use simply paste the first request URL into your browser's address bar -- no need to use Advanced REST Client yet. The following is a GET request, so pasting it in the address bar works fine.

https://login.windows.net/common/oauth2/authorize?
response_type=code
&client_id=YOUR_CLIENT_ID_HERE
&resource=RESOURCE_HERE
&state=SOME_UNIQUE_STRING_HERE
&redirect_uri=YOUR_REDIRECT_URL_HERE

Resource looks like "https://dreamfactories-my.sharepoint.com" since you're making a call to the Files API endpoint, which is part of SharePoint/OneDrive for Business. If you're interested in Mail, you should call "https://outlook.office365.com" -- but for the purposes of this guide, we'll look at Files only.

Client id looks like "08632ea7-3847-48b8-b43a-b99568e3a2c4", state is some unique string used to prevent CSRF (you can put something like "12345" for demo purposes), and redirect URI is the URL that you registered in AAD for where your users will be sent after authorization. Note that for the purposes of this demo, you don't actually have to point to something valid that is own your domain. You can just put "https://www.google.com", as long as it matches with what you registered in Azure AD.

Press Enter and your browser redirects you to a login screen. Sign in with your tenant credentials. You'll want to use a user in the same tenant you registered this app to in Azure AD unless it's a multi-tenant app, in which case any other tenant would work too.

If your credentials are correct, you'll get redirected to the redirect URL you wanted, with the authorization code inserted as a query parameter at the end of the URL in the browser's address bar:

See that ?code= query parameter after https://www.google.com? That contains the authorization code. Copy that.

2. Make another request to obtain an access token so you can actually make calls to the resource. The POST request looks like this:

POST https://login.windows.net/common/oauth2/token

In the body of the request, 

client_id=YOUR_CLIENT_ID&
client_secret=YOUR_CLIENT_SECRET&
code=AUTHORIZATION_CODE_FROM_STEP_1&
grant_type=authorization_code&
redirect_uri=YOUR_REDIRECT_URL

Client ID is from Azure AD, Client Secret is the same as "Key" and is also from Azure AD. Code is the authorization code you obtained in Step 1. Grant type is authorization code because that is the information you are sending over. Redirect URI is what you registered on Azure AD.

The screenshot above shows what you should send and what you'd receive. Notice you get an access token. Copy that.

3. Make a request to get files from the user's OneDrive for Business. The GET request looks like this:

GET https://clippy-my.sharepoint.com/_api/v1.0/me/files

In the header of the request, put:

Authorization: Bearer {YOUR_ACCESS_TOKEN_FROM_STEP_2_HERE}

You'll be able to figure out what to put before /_api/files from the discovery service. A blog post on that will come soon. You'll get what looks like this:

Voila! The response contains your files!

As promised, posts on Azure AD app registration and Discovery Service will come soon. Check this blog regularly for updates!