CODEWITHSUNDEEP
oauthoffice365outlook-addinoffice-addinsoffice-js
Andy T
Andy T

Reputation: 9881

Validate Exchange oAuth token

I am trying to validate an oAuth token that my server-side code is receiving.

The server-side code is using the Exchange Managed API and the token that is being sent was retrieved by my add-in from Exchange using the Office.context.mailbox.getUserIdentityTokenAsync(callback) method in the Outlook API.

I am running into an issue when I call the token.Validate(uri) method:

var token = (AppIdentityToken)AuthToken.Parse(rawToken);
token.Validate(new Uri(hostUri));

According to the documentation:

hostUri: The fully qualified URI to the page in your Outlook add-in that called getUserIdentityTokenAsync.

To get the hostUri from within the page in the add-in, I use:

var hostUri = location.href.split('?')[0];

However, using that provided URI, causes an error when trying to validate the token:

Error message

I am confused as to why it would be using the URI of where the add-in is located instead of using the public key of the Identity Provider that issued the token (i.e. Exchange).

Upvotes: 0

Views: 492

Answers (1)

Fei Xue
Fei Xue

Reputation: 14649

The EWS token validation library do will validate the signature of the token via the public key.

The host Uri is used to validate the aud claim in the id_token to validate that this token is passed from your application instead of other application.

Please ensure that the Uri is match the host page, you can parse the the id_token through jwt.io to see the real Uri(aud) in the token.

Upvotes: 1

Related Questions