Reputation: 33
Authenticate and fetch EWS data using OAuth token
I am trying to build an android app using EWS-java-api to fetch EWS data with an oAuth2 token for office365 users using active directory authentication lib for android. similar to what is shown in this article for .net. Below is the code:
// Code to acquire token after registering the native application in Azure active directory
authenticationContext.acquireToken(<activity context>,
"<resource id: copied from the manifest file tag <resourceAppId> of Azure active directory after adding permission>",
"<Application id of the registered app in AAD>",
"<Application Redirect URI>", email, PromptBehavior.Always, "", AuthenticationCallback);
//We receive AuthenticationResult object containing authentication token in AuthenticationCallback onSuccess method and then call an async task to fetch EWS data
ExchangeService exchangeService = new ExchangeService();
exchangeService.setTraceEnabled(true);
exchangeService.getHttpHeaders().put("Authorization", "Bearer " + mAuthenticationResult.getAccessToken());
exchangeService.setUrl(URI.create("https://outlook.office365.com/EWS/Exchange.asmx"));
I am able to get oAuth token, but i am not able to receive exchange data, it gives me unauthorised and forbidden access when fetching data using below code.
CalendarFolder calendarFolder = CalendarFolder.bind(service, WellKnownFolderName.Calendar);
findResults = calendarFolder.findAppointments(new CalendarView(startDate, endDate));
Also, I am not sure about the configuration i am setting up in azure portal. It would be great if you can tell how to setup Azure AD application for fetching EWS data via oAuth authentication in android.
Edit:
Below are the claims of my access token:
This is the JSON i am getting for the access token. and using this access token the error i am getting is 401 unauthorised access while accessing calendar folder.
JSON: {
typ: "JWT",
alg: "RS256",
x5t: "RrQqu9rydBVRWmcocuXUb20HGRM",
kid: "RrQqu9rydBVRWmcocuXUb20HGRM"
}.
{
aud: "6ae5db95-0af3-45b6-afce-17851abc9d55",
iss: "https://sts.windows.net/06d03691-efd5-43c5-8ec9-81e57c75f63c/",
iat: 1480554267,
nbf: 1480554267,
exp: 1480558167,
acr: "1",
amr: [
"pwd"
],
appid: "410db643-4efc-4dac-8e6f-bbf05da561e1",
appidacr: "0",
e_exp: 10800,
family_name: "Dhingra",
given_name: "Surbhi",
ipaddr: "112.110.19.113",
name: "Surbhi Dhingra",
oid: "52c73152-0add-4e68-8d60-54c03a35a4b9",
platf: "1",
scp: "user_impersonation",
sub: "hUaeKxiMI-m7nNNo2c5kMYd501Blw5QQ9SNPnP1Ei_c",
tid: "06d03691-efd5-43c5-8ec9-81e57c75f63c",
unique_name: "surbhi.dhingra@<onmicrosoft domain>.com",
upn: "surbhi.dhingra@<onmicrosoft domain>.com",
ver: "1.0"
}.
Error Logs: microsoft.exchange.webservices.data.core.exception.service.remote.ServiceRequestException: The request failed. The request failed. The remote server returned an error: (401)Unauthorized at microsoft.exchange.webservices.data.core.request.SimpleServiceRequestBase.internalExecute(SimpleServiceRequestBase.java:74) W/System.err: at microsoft.exchange.webservices.data.core.request.MultiResponseServiceRequest.execute(MultiResponseServiceRequest.java:158) W/System.err: at microsoft.exchange.webservices.data.core.ExchangeService.bindToFolder(ExchangeService.java:504) at microsoft.exchange.webservices.data.core.ExchangeService.bindToFolder(ExchangeService.java:523) at microsoft.exchange.webservices.data.core.service.folder.CalendarFolder.bind(CalendarFolder.java:60) at microsoft.exchange.webservices.data.core.service.folder.CalendarFolder.bind(CalendarFolder.java:108)
Upvotes: 2
Views: 2787
Answers (2)
Reputation: 12434
Thanks for providing your Access Token. The issue appears to be that you have acquired a token for the wrong audience (resource).
If you look at your token, you will see there is an "aud" claim which defines the resources that should accept your access token.
When calling Exchange, you should have a token for the resource: "https://outlook.office.com"
The token you have seems to be for a specific App ID, likely one of the apps you own in your own tenant.
Please check out the reference information here for the various Mail APIs we expose: https://msdn.microsoft.com/en-us/office/office365/api/mail-rest-operations
And check our samples here: https://dev.office.com/code-samples#?filters=exchange,outlook
I hope this helps!
Upvotes: 1
Reputation: 24148
It seems that there is an answered SO thread EWS error message: "403: Forbidden - Not enough scopes" which is similar with your issue.
Only Office 365 REST APIs support granular access such as "Read and write email from all mailboxes". For EWS, you need the permission "Use Exchange Web Services with full access to all mailboxes". Let us know if you have trouble finding this permission.
So you need to move to the CONFIGURE tab of your application in Azure AD on Management portal, then add the Office 365 Exchange Online permission to your application and enable Use Exchange Web Services with full access to all mailboxes, finally save your configuration, please see the steps and figures below.
Move to the
CONFIGUREtab of your application in Azure AD
Add the
Office 365 Exchange Onlinepermission to your application
Enable
Use Exchange Web Services with full access to all mailboxes
Save your configuration.
Upvotes: 1
Related Questions
- EWS java apis using Oauth2
- Connecting with EWS API service to outlook.com account with oAuth2 token
- How to authenticate with OAuth to access EWS APIs
- Acces Azure stored web api from xamarin android
- Office 365 Calendar API Using EWS and OAuth 2
- Office 365 / EWS Authentication using OAuth
- How can I use web app with EWS managed API for office 365?
- Authenticate an EWS application by using OAuth
- EWS API (Java) OAuth not working
- Using EWS Managed Api with Office 365 Api