Connecting to PWA via Rest from separate web application RRS feed

  • Pertanyaan

  • We have a PWA set up, and a separate ASP.Net app. PWA provides a data over rest by this link:


    I can click on a link, and if I was logged in into PWA before, I am able to see the data in my browser.

    Now I want to be able to get the same data in our ASP.Net app. Please do mind that ASP.Net app is a normal app and not a Sharepoint-addin

    // var endpointUrl = 'https://<companySite>';
    var endpointUrl = 'https://<companySite>$select=ProjectName';
    var xhr = new XMLHttpRequest();"GET", endpointUrl);
    // The APIs require an OAuth access token in the Authorization header, formatted like this: 'Authorization: Bearer <token>'. 
    xhr.setRequestHeader("Authorization", "Bearer " + token);
    xhr.setRequestHeader("Accept", "application/json");
    $("#header").html("Requesting: " + endpointUrl);
    // Process the response from the API.  
    xhr.onload = function () {
      if (xhr.status == 200) {
         var formattedResponse = JSON.stringify(JSON.parse(xhr.response), undefined, 2);
               $("#results").html("<pre>" + formattedResponse + "</pre>");
             } else {
               $("#results").html("HTTP " + xhr.status + "<br>" + xhr.response);
       // Make request.

    This code returns:

    {"odata.error":{"code":"20010, Microsoft.ProjectServer.PJClientCallableException","message":{"lang":"en-US","value":"GeneralSecurityAccessDenied"}}} 

    But when I try the same code with the link


    , it is able to return the data. Because of that I assume that everything is set up correctly, and I'm just missing some permission in PWA or some restriction. Also I assume I retrieve the token properly, as it allows me to access the lists.

    This is javascript, but I've also tried doing the same from C# code and a few other ways I found only. All use Bearer Token and all return the same error.

    Jumat, 27 Januari 2017 08.54

Semua Balasan

  • Iurii,

        The error you are getting is an application level error from Project Online, i.e. an AUthorization error rather than an Authentication error.  The bearer token you use to query Project Online needs to have come from a user identity that has Portfolio Viewer (or better)/Reporting global permission rights inside Project Online.  Project Managers don't by default get this access.

    Also be careful of CORS hangups - be aware the Project Online doesn't support CORS, and commonly we use the SPRequestExecutor pattern to get around this.



    James Boman BSc. MCP:EAD

    Kamis, 02 Februari 2017 23.23
  • Hi James,

    Thanks for your reply.

    I've asked our IT to assign me Portfolio Viewer role, but it didn't do any effect.

    I also tried to use SPRequestExecutor, but I receive -1007 error always when I do this.

    I'm not really sure that I'm using SPRequestExecutor correctly. Can I use it if my app is not a sharepoint add-in?

    I'm getting a script like that:

    $.getScript('https://<companyName>', execCrossDomainRequest);

    Then I'm using SP.RequestExecutor like this:

    var endpointUrl = "https://<companyName>$select=ProjectName";
     var executor = new SP.RequestExecutor("https://<companyName>");
                    url: endpointUrl,

    Do these urls and such usage seem correct to you?

    Please note that our app is not hosted on "https://<companyName>". Right now I am actually testing it locally, so it's url is "http://localhost:<portname>"

    Best Regards,


    • Diedit oleh Iurii Gazin Senin, 06 Februari 2017 14.17
    Senin, 06 Februari 2017 14.16
  • Hello,

    Is there any solution for this?


    Senin, 09 Juli 2018 14.27
  • There are two big problems with this approach:

    1. Authentication.  You need the rtFa and Fedauth cookie headers from a real user with Portfolio Viewer or above access.
    2. CORS: Even if you manage to pull off this feat, if you are coming from a different domain the browser preflight check will stop a successful query because of cross-domain issues.

    Possible solutions to this problem include:

    1. Put your HTML page in a document library in PWA with an ASPX extension.  The javascript will run as the user that hits it.
    2. Use server-side code to authenticate as a real user, or an App+User token (Provider hosted Add-In).
    3. Use JavaScript with the request executor pattern to get around the CORS problems in a SharePoint or Provider hosted Add-In.  Not sure SP.RequestExecutor works outside the scope of a SharePoint Add-In.  All the normal caveats/complexity of dealing with Add-Ins apply.

    James Boman BSc. MCP:EAD

    Selasa, 10 Juli 2018 07.31