403 Client Error

[xibriz]

Trying to authenticate with a self signed certificate. This code works fine:

site_url = "https://[tenant].sharepoint.com/"
cert_settings = {
    'client_id': 'id',
    'thumbprint': "thumbprint",
    'certificate_path': '/path/to/certandkey.pem'
}

ctx = ClientContext(site_url).with_client_certificate("tenant",
                                                    cert_settings['client_id'],
                                                    cert_settings['thumbprint'],
                                                    cert_settings['certificate_path'])

web = ctx.web
ctx.load(web)
ctx.execute_query()

print(web.properties['Url'])

But if I change the site_url to https://[tenant].sharepoint.com/sites/MySite I get the following error:

Traceback (most recent call last):
  File ".../lib/python3.6/site-packages/office365/runtime/client_request.py", line 75, in execute_query
    response.raise_for_status()
  File ".../lib/python3.6/site-packages/requests/models.py", line 943, in raise_for_status
    raise HTTPError(http_error_msg, response=self)
requests.exceptions.HTTPError: 403 Client Error: Forbidden for url: https://[tenant].sharepoint.com/sites/MySite/_api/Web

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "sharepoint.py", line 113, in <module>
    ctx.execute_query()
  File ".../lib/python3.6/site-packages/office365/runtime/client_runtime_context.py", line 138, in execute_query
    self.pending_request().execute_query()
  File ".../lib/python3.6/site-packages/office365/runtime/client_request.py", line 79, in execute_query
    raise ClientRequestException(*e.args, response=e.response)
office365.runtime.client_request_exception.ClientRequestException: ('-2147024891, System.UnauthorizedAccessException', 'Access denied. You do not have permission to perform this action or access this resource.', '403 Client Error: Forbidden for url: https://[tenant].sharepoint.com/sites/MySite/_api/Web')

What do I not understand? How is it I can access the SharePoint root, but not any sites?

The setup is the same as in #314 , I only added the cert in addition to the client secret.

[mateustanaka]

I'm facing the same issue, have you fix it @xibriz ?

[greatvovan]

I am having the same problem that I can access the root site, but not any other site, however my error message is different:

ValueError: {'error': 'invalid_resource', 'error_description': 'AADSTS500011: The resource principal named https://my-company.sharepoint.com/sites/mysite was not found in the tenant named My Company Limited. This can happen if the application has not been installed by the administrator of the tenant or consented to by any user in the tenant. You might have sent your authentication request to the wrong tenant.\r\nTrace ID: e8bbbe6c-f5ef-4d6a-8635-0848184e1801\r\nCorrelation ID: f6a57e34-886a-4247-8a4e-194f098876ed\r\nTimestamp: 2022-05-12 02:26:44Z', 'error_codes': [500011], 'timestamp': '2022-05-12 02:26:44Z', 'trace_id': 'e8bbbe6c-f5ef-4d6a-8635-0848184e1801', 'correlation_id': 'f6a57e34-886a-4247-8a4e-194f098876ed', 'error_uri': 'https://login.microsoftonline.com/error?code=500011'}

My code is also pretty much the same as the one by the original poster. More details: https://stackoverflow.com/q/72210088/947012

[sanjosh]

I am having same problem

[Rajadeepanm]

I am having same error. Does anyone have answer to 403 Client error?

[sanjosh]

I used the msal library for Auth https://docs.microsoft.com/en-us/azure/active-directory/develop/msal-overview

Then used the Graph API directly for file operations That works

Step 1 : get site_id given name

    hostname = '<yoursite>.sharepoint.com'
    sitename = 'testme'
    resp = requests.get( f'https://graph.microsoft.com/v1.0/sites/{hostname}:/sites/{sitename}:/',
        headers=headers,
    ).json()

Step 2. Enumerate the Drives under the given SharePoint site

resp = requests.get( f'https://graph.microsoft.com/v1.0/sites/{site_id}/drives/',
        headers=headers,
    ).json()

See

https://docs.microsoft.com/en-us/graph/api/resources/onedrive?view=graph-rest-1.0 https://docs.microsoft.com/en-us/graph/api/driveitem-get-content?view=graph-rest-1.0&tabs=http

[greatvovan]

So you are not using Office365-REST-Python-Client, right?

[sanjosh]

So you are not using Office365-REST-Python-Client, right?

No, but I would prefer to use it. Its a simpler API

[xibriz]

I abandoned this and are using credentials.

client_credentials = ClientCredential(client_id, client_secret)
ctx = ClientContext(sharepoint_site).with_credentials(client_credentials)

[jalvarezabbott]

hostname = '.sharepoint.com' sitename = 'testme' resp = requests.get( f'https://graph.microsoft.com/v1.0/sites/{hostname}:/sites/{sitename}:/', headers=headers, ).json()

@sanjosh Do you have your access token in your headers? I'm trying to do similar to what you are using and I can authenticate successfully with msal package. After I access token I try to download excel file by passing this to requests.get but no luck

Any advice?

head = {'User-Agent': 'Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2924.76 Safari/537.36','Authorization': 'token {}'.format(access_token['access_token'])} response = requests.get("https://[tenant].sharepoint.com/teams/USA-AN-CHIP/Shared%20Documents/Costco/COSTCO_INPUT.xlsx", headers=head,stream=True,allow_redirects=True,timeout=90) print(response)

[sanjosh]

hostname = '.sharepoint.com' sitename = 'testme' resp = requests.get( f'https://graph.microsoft.com/v1.0/sites/{hostname}:/sites/{sitename}:/', headers=headers, ).json()

@sanjosh Do you have your access token in your headers? I'm trying to do similar to what you are using and I can authenticate successfully with msal package. After I access token I try to download excel file by passing this to requests.get but no luck

Any advice?

head = {'User-Agent': 'Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2924.76 Safari/537.36','Authorization': 'token {}'.format(access_token['access_token'])} response = requests.get("https://[tenant].sharepoint.com/teams/USA-AN-CHIP/Shared%20Documents/Costco/COSTCO_INPUT.xlsx", headers=head,stream=True,allow_redirects=True,timeout=90) print(response)

Yes, access token in headers

headers = dict(Authorization="Bearer " + mytoken)

[jalvarezabbott]

hostname = '.sharepoint.com' sitename = 'testme' resp = requests.get( f'https://graph.microsoft.com/v1.0/sites/{hostname}:/sites/{sitename}:/', headers=headers, ).json()

@sanjosh Do you have your access token in your headers? I'm trying to do similar to what you are using and I can authenticate successfully with msal package. After I access token I try to download excel file by passing this to requests.get but no luck Any advice? head = {'User-Agent': 'Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2924.76 Safari/537.36','Authorization': 'token {}'.format(access_token['access_token'])} response = requests.get("https://[tenant].sharepoint.com/teams/USA-AN-CHIP/Shared%20Documents/Costco/COSTCO_INPUT.xlsx", headers=head,stream=True,allow_redirects=True,timeout=90) print(response)

Yes, access token in headers

headers = dict(Authorization="Bearer " + mytoken)

Thanks @sanjosh !! Between you mentioning the requests method and this link https://keathmilligan.net/automate-your-work-with-msgraph-and-python, I was able to connect, download and upload files to sharepoint via Microsoft Graph API!

[vgrem]

This issue appears to be similar to this one. It has been addressed and the error should not longer occur in 2.3.14 version or above.