Sharepoint - SharePoint Online REST API Authentication In POSTMAN

Answering my own question in case it helps somebody.

As mentioned in comment by @SharePointer you need to register an app in Azure AD in order to authenticate against it. That app that you register needs to be given permissions to your SharePoint Online.

Login to Azure Portal at https://portal.azure.com that is used by your O365 Tenant where you want to access the SharePoint site.

• Navigate to Azure AD.

• Find "App Registrations" in the menu.

  

• Select "New App Registration".

• Give it a name like SPO or POSTMAN.
• Select the Application Type to be "Web app / API" and the Sign-on URL to https://www.getpostman.com/oauth2/callback

Once it is registered note the Application ID and copy it to notepad.

• Go to Required Permissions in the application you just registered.
• Select SharePoint Online under the Select an API in step 1.
• Then under 2 Select Permissions, choose "Have full control of all site collections".

Now choose KEYS blade and add a key. The key only shows once when you save it. Copy it to notepad.

• Go to POSTMAN app on your desktop.
• Create a new request. For example, https://mytenantname.sharepoint.com/sites/mysitecollection/_api/web/lists

• Set a header of "Accept: application/json; odata=verbose"

• Go to the Authorization tab in POSTMAN.

• Select Oauth 2.0 from the dropdown and press the Get New Access Token.

Fill out the fields in that dialog like below:

Auth URL :           https://login.microsoftonline.com/common/oauth2/authorize?resource=https://mytenantname.sharepoint.com  
Access Token URL :   https://login.microsoftonline.com/common/oauth2/token  
Client ID :          <Application_ID>  
Client Secret :      <KEY>  
Grant Type :         Authorization Code

Click Request Token button.

At this point you should login with an admin user. You will also be asked to allow the permissions you set on the Application in Azure AD. This is why you need to log in as an Admin account. Accept the permissions request when asked.

The token is returned. Copy it to notepad and then click the "Use Token" button. This fills in the token to the correct place in POSTMAN.

Now Send your request and you should have a successful returned JSON list of lists.

[EDIT]
In addition to above I have found that I need to create a certificate in order to authenticate. Just registering the app and giving permissions was not enough.

To do this check out the makecert command in a Visual Studio Developer command prompt. Example below:

makecert -r -pe -n "CN=POSTMAN-TEST" -b 12/15/2014 -e 12/15/2016 -ss POSTMAN-TEST -len 2048

• Then go to mmc.exe and the Personal folder in the Certificates snap in.
• Export the cert you created with the command above to a .CER file.
• Then go to Azure Portal and your registered app that you did above.
• Download the manifest file.
• Replace the section for the key credentials in the manifest file and upload it back to the app registration in Azure.

For example put your values from your CER file into this section:

"keyCredentials": [
{
  "customKeyIdentifier": "$base64Thumbprint_from_above",
  "keyId": "$keyid_from_above",
  "type": "AsymmetricX509Cert",
  "usage": "Verify",
  "value":  "$base64Value_from_above"
 }
],

Just adding this here since the Azure Portal is slightly different now.

1. Login to Azure Portal at https://portal.azure.com for your O365 Tenant
2. Either use the Search at the top of the page for App registrations or Select All Services > Scroll down to Identity and Select App registrations
3. Select New Registration
4. Give it a name, Change the account type to which ever you prefer, in this case I just used Accounts in this organizational directory only
5. (Optional) Enter in a Redirect URL - I used : https://login.microsoftonline.com/common/oauth2/nativeclient
6. Select Register
7. On Overview blade copy the Application (client) ID
8. Select the Certificates & Secrets blade
9. Select New client secret
10. Give description and set expiry date if required and Select Add
11. After selecting Add, make sure you copy the Value generated to your clipboard, otherwise you'll have to generate a new one.
12. Set Permissions you require on the API permissions blades, here I just added Sharepoint - AllSites.Read
13. You can now build your REST request

I've successfully achieved it using this tutorial.

Sharepoint configuration part

1. Register a new app by

   • following https://YourTenant.sharepoint.com/_layouts/15/appregnew.aspx link
   • generating Client Id and ** Client Secret** values
   • filling Title, App Domain and Redirect URI fields (I've input localhost.com as on the picture - it works)
   • clicking Create button

2. Save somewhere into file the next parameters:

    The app identifier has been successfully created.
    Client Id:      898c898f-89238-43d0-4b2d-7a64c26f386a
    Client Secret:  4/T+21I1DSoAJdOX9DL1Ne4KssEaP7rqb11gdtskhXn=
    Title:          SomeTitle
    App Domain:     localhost.com
    Redirect URI:   https://localhost.com/default.aspx
   

3. Apply permissions to this app by

   • following https://YourTennant.sharepoint.com/sites/SharePointRND/_layouts/15/appinv.aspx

   • inserting Client Id: 898c898f-89238-43d0-4b2d-7a64c26f386a into App Id field

   • clicking Lookup button

   • pasting into Permission Request XML the next code (in my case I needed only Read access, so I changed Rights value from FullControl to Read):

       <AppPermissionRequests AllowAppOnlyPolicy="true">
       <AppPermissionRequest Scope="http://sharepoint/content/sitecollection/web" Right="FullControl" />
     

   • Create bottom button clicking

   • Trust it button clicking

Postman configuration part

1. Open postman and create aGET request

   • with a similar URI:

       https://YourTenant.sharepoint.com/_vti_bin/client.svc/
     

   • with the header:

       KEY               VALUE
       Authorization     Bearer
     

You'll get an error which you should ignore:

    <?xml version="1.0" encoding="utf-8"?>
    <m:error xmlns:m="http://schemas.microsoft.com/ado/2007/08/dataservices/metadata">
        <m:code>-2147024891, System.UnauthorizedAccessException</m:code>
        <m:message xml:lang="en-US">Access denied. You do not have permission to perform this action or access this resource.</m:message>
    </m:error>

2. Go to response's Headers tab and click the WWW-Authenticate key's value

3. Copy and save these parameters:

    Bearer realm="a998899-ad83-234a-af83-8238af989898" #SharePoint Online Tennant Id
    client_id="00000003-0000-0ff1-ce00-000000000000"   #Resource information value
   

4. Open a new Postman's tab and create new POST request by

   • selecting POST request type

   • pasting URI: https://accounts.accesscontrol.windows.net/"Bearer realm value without double quotes here"/tokens/OAuth/2

   • adding header (on Headers tab):

       KEY               VALUE
       Content-Type      application/x-www-form-urlencoded
     

   • adding body key/value parameters (on Body tab):

       KEY               VALUE
       grant_type        client_credentials
       client_id         ClientID or AppId value@Bearer realm value
       client_secret     ClientSecret value
       resource          resource/YourTenant.sharepoint.com@Bearer realm value
     
       KEY               VALUE
       grant_type        client_credentials
       client_id         898c898f-89238-43d0-4b2d-7a64c26f386a@a998899-ad83-234a-af83-8238af989898
       client_secret     4/T+21I1DSoAJdOX9DL1Ne4KssEaP7rqb11gdtskhXn=
       resource          00000003-0000-0ff1-ce00-000000000000/contoso.sharepoint.com@a998899-ad83-234a-af83-8238af989898
     

5. Click Send button and copy your access_token on response's Body tab.

6. Open a new Postman's tab and create a new GET request by

   • pasting URI: https://YourTenant.sharepoint.com/_api/web

   • adding headers on Headers tab:

       KEY            VALUE
       Authorization  Bearer eyJ0eXAiOiJKV1Q-verylongstring-0GFpSYw
       Accept         application/json;odata=verbose
     

7. Execute this request and get results:

More automated and simpler results retrieving method using bash & curl (Linux)