Sign In
Dec 12
Understanding OAuth tokens and their lifetime

I received a question in email the other day – what is the lifetime of a SharePoint OAuth token? Interesting question, so I did some research.

First, go read Kirk's post on the content of SharePoint's app tokens: Inside SharePoint 2013 OAuth Context Tokens

So, the token is just a string in JSON format that contains relevant properties. The property that we want to understand is the expiration value. (Well, actually the delta between "Not valid before" and "Expires.") To find out the answer, I followed Kirk's post to grab a token from Fiddler. Then, I used some NuGet goodness to look at the token. Microsoft has published a NuGet package that contains a helper library for JWT tokens: System.IdentityModel.Tokens.JWT

Using this library, you can perform basic operations on the token:

var at = new JwtSecurityToken(accessToken);
var lifetime = at.ValidTo - at.ValidFrom;
Console.WriteLine("Access Token lifetime: {0}", lifetime);

Turns out that the answer to the question is 1 hour. (Actually 65 minutes.)

There are some interesting methods in the System.IdentityModel.Tokens.JWT namespace, things like ValidateToken. I mention this because if you are processing tokens in your code, you *really* should make sure that they are valid. So, instead of just using the JwtSecurityToken constructor to create the token, use the JwtSecurityTokenHandler class:

var h = new JwtSecurityTokenHandler();
SecurityToken at = null;
h.ValidateToken(accessToken, new TokenValidationParameters(), out at);

To learn more about token validation, read Vittorio's post:

But, I didn't stop there. What about refresh tokens?

Using the JwtSecurityToken class did not work with the refresh token. Thinking I knew more than Microsoft, I manually tried to decode the token, with no luck. So, when all else fails, read the manual, right?

RFC 6749 OAuth 2.0 October 2012


1.5. Refresh Token


Refresh tokens are credentials used to obtain access tokens. Refresh

tokens are issued to the client by the authorization server and are

used to obtain a new access token when the current access token

becomes invalid or expires, or to obtain additional access tokens

with identical or narrower scope (access tokens may have a shorter

lifetime and fewer permissions than authorized by the resource

owner). Issuing a refresh token is optional at the discretion of the

authorization server. If the authorization server issues a refresh

token, it is included when issuing an access token (i.e., step (D) in

Figure 1).


A refresh token is a string representing the authorization granted to

the client by the resource owner. The string is usually opaque to

the client. The token denotes an identifier used to retrieve the

authorization information. Unlike access tokens, refresh tokens are

intended for use only with authorization servers and are never sent

to resource servers.


Opaque to the client means that the token is not intended to be decoded/decrypted. You just cache it and use it necessary to get an access token as needed. Since the refresh token is at the discretion of the authorization server, the authoritative source for SharePoint refresh tokens is Microsoft. And their description of the refresh tokens is not necessarily clear on the matter:

Handling Refresh Tokens


Refresh tokens do not have specified lifetimes. Typically, the lifetimes of refresh tokens are relatively long. However, in some cases, refresh tokens expire, are revoked, or lack sufficient privileges for the desired action. The client application needs to expect and handle errors returned by the token issuance endpoint correctly. When you receive a response with a refresh token error, discard the current refresh token and request a new authorization code or access token. In particular, when using a refresh token in the Authorization Code Grant flow, if you receive a response with the interaction_required or invalid_grant error codes, discard the refresh token and request a new authorization code.


From <>


So, what do we do about refresh tokens? One thing to keep in mind is that every time you get an access token from SharePoint, you also get a refresh token. So, whenever your application uses the refresh token to get a new access token, you should replace the refresh token you have stored with the new refresh token received with the access token. In most scenarios, this should suffice.


Dec 03
MSIS7102: Requested Authentication Method is not supported on the STS

A quick post, which if it gets enough Search Engine love will save someone else time…

In response to a customer issue in which an iPad on the corporate network could not log on an ADFS 3.0 (Windows Server 2012 R2) secured resource, I saw the above error in my Event Viewer on the federation servers. The federation farm was setup in a typical architecture:

In this architecture, combined with a split DNS entry for the ADFS endpoints, external clients will resolve to the proxy servers and internal clients (on the corporate network) the federation servers.

The default authentication policy for ADFS 3.0 is Forms Authentication for the Extranet and Windows Authentication (IWA) for the Intranet. You can see these settings in AD FS Manager under Authentication Policies:

In PowerShell:


If you recall, the scenario that was failing was iPad on the intranet. Since the iPad is not domain-joined, Windows Authentication will fail. AD FS does provide for "falling back" to a different authentication method – you can see the property WindowsIntegratedFallbackEnabled is set to True. However, in the Intranet, there is no other provider configured, so there is no other provider to fall back on. (For more information about which browsers/clients will use Windows Authentication, refer to Configuring intranet forms-based authentication for devices that do not support WIA.)

To resolve my issue, I enabled Forms Authentication on the Intranet. Even though the authentication provider name is "FormsAUthentication" – this is not the FBA approach that you may remember from .Net/SharePoint. In IIS terms, this is Basic Authentication with TLS/SSL.

Now that there is another authentication method available, AD FS logic for using IWA will apply. And since the User Agent for the iPad is not configured for IWA, the server renders a login form.


Mar 17
SharePoint 2013 REST filter for Yes/No fields

Did you know that if you search for Odata filter examples on boolean fields you will be sorely disappointed?

I did however, find this wonderful tidbit today:

…behind the scenes, that No has been stored as a 0. If you had said Yes, it would have been stored as a 1. SharePoint knows how to interpret this and will display these 1s and 0s as Yes and No for your convenience.
Read more:

Feb 18
SharePoint REST syntax for methods


To specify multiple parameters, include the parameter as a name-value pair, and separate the parameters with commas. For example:

http://server/site/_api/web/getAvailableWebTemplates(lcid=1033, includeCrossLanguage=true)

So, when trying to activate a feature using the Add method:

POST syntax
POST http://<sitecollection>/<site>/_api/web/features/add(featureId,force,featdefScope)
Resource parameters

What you really need is:

Feb 18
Setting Workflow Status

A recent project required a workflow that routed approval thru various departments and had a somewhat complex process once the item was approved. As I was exploring the various options in Visual Studio and SharePoint Designer, I came across a difference between the two environments. I thought maybe it would be worth sharing, so I’ve published an article on my site: Setting Workflow Status in Visual Studio and SharePoint Designer

Nov 12
Webcast: Delivering Solutions with SharePoint 2013

I am excited to announce that I will be delivering a webcast for Critical Path Training for developers. The Developing Solutions with SharePoint 2013 Webcast is being offered January 6-14 during the afternoons (Eastern Time).

This webcast is an ideal delivery mechanism for students who need to learn more about SharePoint 2013 development but do not have the time or budget to travel to a training center for an entire week. The lecture and Q&A are condensed into an afternoon, and the lab exercises are optional and can be completed on your own schedule. Of course, completing the labs after the lecture ends will offer the best experience. But sometimes work gets in the way.

Registration is now open at

I hope to see you online!

Nov 11
Passing mention of me on the Microsoft Cloud Show podcast

A few weeks back, I presented at the SharePoint intersections conference in Las Vegas. This was a terrific show! The conference was actually a collection of shows covering SharePoint, SQL, Development and web topics (called AngleBrackets).

One evening, the SharePoint speakers gathered in a palatial room occupied by Andrew Connell and Dan Holme. (See what talent at the BlackJack table can get you!) AC and Chris Johnson broke out their microphone and recorded an episode of their new podcast: Microsoft Cloud Solutions.

The shows has a wide range of opinions and comments. Anything attributed to me is purely by accident – I was only there for the beer! But I encourage you to give the show a listen.

Nov 07
Consuming the SharePoint REST API using WCF Data Services

Over the last week, I have been working on a sample application and companion document that discusses using WCF Data Services to use the SharePoint REST API. The WCF library provides strongly-type objects and management of the communication infrastructure when interacting with OData services.

The document is 15 pages, making it a bit too large for a blog post or web article. I am looking into methods for getting this document published. I appreciate any feedback. Thanks!

Sample App Home SiteListInfo 




Nov 01
Metadata endpoint for SharePoint 2013 REST

At the DevIntersections conference this week in Las Vegas, the speakers in the SharePoint track were gathered in the “intersections” room waiting for the seats to be setup. (An intersection is where the attendees and speakers can intersect during a break in the sessions. Sometimes it is called an Q&A.) The topic of the metadata endpoint for a REST interface came up, and Rob Lefferts (PM for the Office Apps team) mentioned that he thought it was released in a CU for on-premises installations. This was encouraging news!

I had a VM with the March CU on it. (It just so happens that it is a VM I use to teach the GSA2013 course for Critical Path.) So, I thought I would start applying CUs to see if/when I could find the metadata endpoint.

Well, turns out that I didn’t have to apply too many. The April 2013 CU has it!!


Oct 18
Have you helped someone recently?

I have a Surface RT. I put the Win 8.1 preview on it minutes after leaving the store, and have enjoyed the experience.

Until yesterday. The 8.1 RTM upgrade would not kick in. I tried every troubleshooting tactic suggested by every web site I could find. I even reset the device to the factory settings. Nothing.

I finally gave up. I really wanted to avoid lugging the big laptop all over the upcoming conferences (Intersections in Vegas, SPLive! in Orlando) but I had resigned myself to doing so.

But then I received a tweet from Gabor Fari (@gaborfari). I had no idea who he was, but he took the time to reach out. So I looked at his Twitter profile. Works for Microsoft. Maybe he knows something I don’t. But his title is “Director, Business Development and Strategy, Health & Life Sciences. In New Jersey. Not exactly the technical creds I was hoping to see.

Gabor’s suggestion was the page to buy Windows 8. There is a big download button on that page. Unless you browse from a Surface RT with 8.1 preview. In that case it is just a link. Gabor then suggested the ms-windows-store:WindowsUpgrade shortcut. (Which, by the way is the url of the link I was seeing on the page.) I had tried this a dozen times over the last two days, but I clicked on the link on the Surface. I figured I owed it to Gabor. While I was typing the “been there, done that” response in the Twitter window on my main machine, the upgrade launched!

Holy Crap!!!

I credit Gabor for his pay-it-forward attitude. (He claims it was pixie dust. That is OK with me!) Just a ‘softie hanging out on Twitter, trying to make life better for others. Job Well Done Gabor!

1 - 10Next