Reputation: 2013
Permission denied (403) when trying to create calendar event
I am trying to integrate to Office365 API through JavaScript with adal.js and jQuery (OAuth implicit flow), but I am having issues trying to create a calendar event for my user. My existing code works fine when retrieving emails and calendar events, but when I try to create a calendar event, I consistently get a "403 - Forbidden" response.
The code is live and working at http://oauth.idippedut.dk/oauth.html. I am accessing the Office 365 API endpoint at https://outlook.office.com/api/v2.0/me/events .
My configuration for "Delegated permissions" on the app in our Office365/Azure tenant Active Directory is this:
The configuration for "Application permissions" on the app in our Office365/Azure tenant Active Directory is this:
The jQuery request is this:
var event = {
"Subject": "Discuss the Calendar REST API",
"Body": {
"ContentType": "HTML",
"Content": "I think it will meet our requirements!"
},
"Start": {
"DateTime": "2016-01-21T18:00:00",
"TimeZone": "Pacific Standard Time"
},
"End": {
"DateTime": "2016-01-21T19:00:00",
"TimeZone": "Pacific Standard Time"
},
"Attendees": [
{
"EmailAddress": {
"Address": "[email protected]",
"Name": "Janet Schorr"
},
"Type": "Required"
}
]
};
// Create calendar events
jQuery.ajax({
type: 'POST',
url: postCalenderEndpoint,
data: JSON.stringify(event),
contentType: "application/json",
headers: {
'Accept': 'application/json',
'Authorization': 'Bearer ' + token,
},
}).done(function (data) {
//alert(JSON.stringify(data));
}).fail(function (err) {
jQuery("#loginMessage").text('Error calling REST endpoint: ' + err.statusText + '\n' + err.responseText);
});
The configuration of jQuery is this:
var resource = 'https://outlook.office.com';
var postCalenderEndpoint = 'https://outlook.office.com/api/v2.0/me/events';
var clientID = '28a707a5-0f11-4d93-8b88-6a918544da14';
var tenantName = '365projectum.onmicrosoft.com';
var authContext = new AuthenticationContext({
instance: 'https://login.microsoftonline.com/',
tenant: tenantName,
clientId: clientID,
postLogoutRedirectUri: window.location.origin,
cacheLocation: 'localStorage'
});
And the resulting HTTP-request is this:
Host: outlook.office.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:43.0) Gecko/20100101 Firefox/43.0
Accept: application/json
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/json; charset=UTF-8
Authorization: Bearer <my token>
Referer: http://oauth.idippedut.dk/oauth.html
Content-Length: 386
Origin: http://oauth.idippedut.dk
Connection: keep-alive
{"Subject":"Discuss the Calendar REST API","Body":{"ContentType":"HTML","Content":"I think it will meet our requirements!"},"Start":{"DateTime":"2016-01-21T18:00:00","TimeZone":"Pacific Standard Time"},"End":{"DateTime":"2016-01-21T19:00:00","TimeZone":"Pacific Standard Time"},"Attendees":[{"EmailAddress":{"Address":"[email protected]","Name":"Janet Schorr"},"Type":"Required"}]}
I am really puzzled to why I get the 403, since everything should be set up correctly.
Any help will be greatly appreciated :-)
/Jesper
Upvotes: 5
Views: 2659
Answers (3)
Reputation: 179
Did you originally register the application requesting the permission "Read user and shared calendars", and then later add the permission "Have full access to user calendars"? If yes, you might be in the situation where users have consented to the former permission, and since that consent is in place they are never further asked to consent to the new permission you added. Which would explain why your app can read, but can't write.
You would only be in this situation with users who consented BEFORE you added the new permission, and only if users were in fact consenting. Users would not have to consent if you registered the app as an admin, and were signing in with users in the same tenant as the admin. Users WOULD have to consent if you registered the app as an ordinary user, or if the app is a multi-tenant app.
If either of the two are the case, the simple way to see if this is the problem is to try using the app as a brand new user who hasn't consented before. This new user would consent to all the permissions requested by the app. Note that if this is an admin-consent app, then you'll need a net new tenant to consent.
If this DOES solve the problem, then you need to get your existing users to go through a step where you send a new OAuth authorize request using the prompt=consent parameter, to get them to consent again.
Upvotes: 0
Reputation: 1704
You configured delegated permissions for Microsoft Graph, but call the Outlook endpoint. You need to do either of: 1. change your app configuration to have delegated permissions for Outlook/Office 365 Exchange Online. 2. change your app to use the Microsoft Graph endpoint (graph.microsoft.com), i.e. https://graph.microsoft.com/v1.0/me/events and keep the current app configuration.
Upvotes: 2
Reputation: 145
try "https://graph.microsoft.com" as the resource to get the (right) token.
Best regards,
AJ
Upvotes: 1
Related Questions
- How do I prevent a parent's onclick event from firing when a child anchor is clicked?
- No 'Access-Control-Allow-Origin' header is present on the requested resource—when trying to get data from a REST API
- Firebase Permission Denied
- Access denied when fetching resource (room) calendar
- Create online meeting on behalf of user MS Graph API
- Office 365 API Calendar events time zone display in clients gets UTC
- How use the API Create Event Calendar Microsoft-GraphAPI
- 403 Authorization_RequestDenied when trying to read users
- Add event to O365 group calendar with "Application" permission
- Outlook REST API 403 error while trying to fetch user emails