sharepoint online – Connect-PnPOnline with the help of ClientId and a self-signed certificate

Does anyone know how Connect-PnPOnline Using Azure AD APP permissions and a self-signed certificate?


  • Generated a self-signed certificate. Registered password
  • Registered an Azure application. Downloaded a certificate on the application
  • Application permissions granted to the application
  • Agreement of the administrator

enter the description of the image here

Now, I'm trying to connect-PnPOnline using the script below:

    $certificatePassword = 'CERTIFICATE_PASSWORD'
    $secureCertificatePass = ConvertTo-SecureString -String $certificatePassword -AsPlainText -Force

    Connect-PnPOnline `
        -CertificatePath "C:...DeploymentApp.pfx" `
        -Tenant `
        -ClientId fff6667e-1141-4bb5-ba3e-eaaf653975c6 `
        -Url `
        -CertificatePassword $secureCertificatePass `

I receive a useless error:

Connect-PnPOnline: an exception was issued by the target of a
invocation. On line: 5 characters: 1
+ Connect-PnPOnline `
+ ~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo: NotSpecified: (:) (Connect-PnPOnline), TargetInvocationException
+ FullyQualifiedErrorId: System.Reflection.TargetInvocationException, SharePointPnP.PowerShell.Commands.Base.ConnectOnline

Using the latest PowerShell PnP module: SharePointPnPPowerShellOnline 3.13.1909.0

Can any one recommend anything, please?


Found problem related with no resolution yet.


You can try to easily reproduce my case:

  • Get these scripts on your local folder.
  • Install Azure CLI on Windows.
  • Right-click Register_AD_App.bat and "Run As Administrator".
  • You will be prompted to enter an administrator account for your Azure AD / Office 365.
  • In the end, the application will be saved, consent being granted to the permissions of the SharePoint API.
  • The o365AppDetails.json file containing an automatically generated certificate password will be created. You can use this password for the script of the -CertificatePassword param of the Connect-PnPOnline commandlet.

enter the description of the image here

Are Google Analytics sessions broken when tracking UserID and ClientID credentials in subdomains that might not send this data?

I have a domain name with three subdomains.
One where one user is authenticated and two where they are not.

I plan to implement tracking user credentials for Google Analytics instead of standard tracking of ClientID credentials to improve our cross-device tracking.

Something I did not understand when reading the Google Analytics documentation is whether sessions will be interrupted when moving between subdomains if all three use the same account and the same Google Analytics property, but One passes through the user ID and the others do not?

authentication – How to correctly store OAuth 2.0 client_id and client_secret in a Web application?

In the PoC (Proof of Concept) under development, data from an API are used and OAuth 2.0 is required for authentication. The application is already working as expected, users can access the API data with the help of OAuth.

My concern is how to properly store the client's own client_id and client_secret correctly. The application is built with Python 3 + Flask. There is currently a JSON file on the server that stores the plain text credentials:



There is a method that reads the JSON file during execution and stores the tokens in variables:

# Get OAuth 2.0 tokens from a JSON file
with open (& # 39; tokens.json & # 39 ;, encoding = & # 39; utf-8 & # 39;) as tokens_file:
oauth_tokens_from_json = json.loads ( ())

client_token = oauth_tokens_from_json["CLIENT_SECRET"]
client_id = oauth_tokens_from_json["CLIENT_ID"]

I am pretty sure that this is not the way to go and I have not found any specific information for a similar scenario.

oauth2 – How to get client_id with the matching secret, but redirect_uri is added to the whitelist as a requirement. Is it still safe?

If you get a client_id Oauth2 with a matching secret, you can theoretically borrow the identity of the target website as follows:

  1. You lure the user on ᴜʀʟ.
  2. By the client_id and the corresponding Oauth2 secret, you connect the background to it.
    The Oauth2 system redirects to the Oauth2 provider from the first web page, then the Oauth2 provider redirects to the redirect_uri parameter (which usually redirects to the website that initiated the connection).
    The process defines a session cookie that is used both for authentication on the website and for interaction with the Oauth2 provider API.
    Depending on the situation, if the user is already logged on both the actual website and the Oauth2 provider, he can login to the attacker's website without having to enter any identifying information or click on anything. So it works silently as an xss attack from the point of view of the user.
  3. Because the user trusts the actual website with the stolen Oauth2 credentials, he has given the site permissions allowing him to access the Oauth2 provider's data. But since the attacker can technically borrow the identity of the target website via a session cookie, he can reuse the trusted permission on the scope parameter.

But in my case, the provider Oauth2 requires the creation of a secure white list for theredirect_uriparameter, so it is impossible to redirect directly.

Taking advantage of a full open redirect on the actual website can lead to a real threat, I wonder if things stay safe until this second vulnerability is taken advantage of according to RFC6749 specification.