Hi everyone,
I have been struggling with creating a http request node or nodes that will access excel files in a specific sharepoint folder in my organisation instead of granting access to all sites and files.
My Graph app is fully configured, with the following app permissions for which I also have granted admin consent:
As you can see I am not using scopes like “Sites.Read.All” or “Files.Read.All” to limit the http request to a particular folder in a sharepoint library.
The corresponding credential for graph app is configured in n8n and connected. I have added the OAuth Redirect URL in Entra in the Authentication menu option of the registered app.
I have written down my drive id, site id and item id (that of the folder with the files)
After many attempts of assigning permissions to individual items in sharepoint manually through entering headings and body parameters in http request nodes I keep seeing 401 and 403 errors that hint at problems with credentials and insufficient permissions to access the files. I have tried both setting authentication to none and using the generic credential type with my configrued n8n OAuth2 API for the graph application.
Can I count on someone’s help? How can I set up a http node workflow that would allow me to access and use the excel files in a sharepoint library? Since I have only started out recently with n8n a step by step guide with screenshots would be a relief after days of being stuck.
All the best,
David
It appears you are mixing up Microsoft’s 2 different types of Oauth.
Delegated Type
If you have created a “system” user for “delegated” Oauth access, that user must be granted permission to access the specific files/folders. Then, if you.
- “connect” your
Microsoft Graph Security Oauth2 API Credentials item, using that “system” user
- accept all the granted (delegated) permissions
- the node functions should work without getting 401/403/etc.
Application Type
If you need to use the “application” type Oauth
- Create a generic
OAuth2 API credential type, set the Grant Type to Client Credentials
- configure the
Access Token URL, Client ID, etc.
- There is no user associated with this type of credential, so granting granular permissions to a particular user won’t affect anything.
Thanks hubschrauber for your feedback. A user is assigned to the app that I have created on Entra. This user also has been granted direct access to the folder of interest in sharepoint.
How does a custom http request workflow need to look like to receive the token, refresh it, and to access the items in a given sharepoint folder?
Thanks in advance!
Update:
Adding Sites.Read.All and Files.Read.All permissions circumvents the authorization problem when trying to run the nodes, of course, but I treat it only as a quick fix, while I am looking for how to get it done by configuring the permissions that contain “SelectedOperations”. With these I should be able to allow the application to access files, lists, and sites explicitly permissioned to the application on behalf of the signed in user.
The specific files and the permissions granted for the app need to be configured in SharePoint Online or OneDrive, though. Since I have not done it, yet, his may cause the authorization errors in http request nodes.
How can I do that? Where do I find these settings in Sharepoint?
The various Oauth2 Credential types must be connected using a specific user, which stores an access token and a refresh token in the background. When everything is working as expected, any node, including the HTTP Request node that uses the credentials item will result in a background sequence like:
- Use stored access token for request
- If “expired access token”
- Use stored refresh token to get a new access token (and probably also an updated refresh token)
- If “expired refresh token” - fail - require re-authenticate
- else re-attempt request with new access token
