10

I have the following code in my SharePoint add-in (SharePoint Online). Simple code just to load the list items, the code works fine

    $.ajax({
        url: appweburl + "/_api/web/lists/getbytitle('MyList')/items",
        type: "GET",
        headers: { "Accept": "application/json;odata=verbose" },
        cache: false,
        success: function (data) {
            alert('Successfully obtained data.');
        },
        error: function (data) {
            alert(data);
        }
    });

My confusion is, I am not passing any access token and from what I know the access token is required to let the add-in access data. So how is this working?

Arjuna
  • 171
  • 3

1 Answers1

5

The browser passes over the FedAuth cookie with the XHR request, and that authenticates you.

James Love
  • 25,512
  • 2
  • 45
  • 77
  • But FedAuth only appears in some condition (FBA, ADFS etc), In my configuration there's no FedAuth, do you know how the rest API is authenticated in SharePoint in that case (windows claims + NTLM)?, see my post http://sharepoint.stackexchange.com/questions/184214/why-sharepoint-2013-does-not-have-fedauth-cookie-in-some-condition – Wint Jun 27 '16 at 09:23
  • If you're using NTLM it'll be using the Bearer HTTP Header. – James Love Jun 27 '16 at 13:00
  • In my environment the SharePoint pages are authenticated in standard NTLM procedure (server respond with WWWAuthenticate: NTLM and so on), however, after authenticated, I cannot find any token like things in subsequent successful api call. (I have manually cleared cookie WSS_KeepSessionAuthenticated), I wonder how SharePoint authenticate/associate these api call with current user. I can post a new question if my description is not clear here and invite you, Thanks a lot! – Wint Jun 27 '16 at 15:45