I'm still struggling with this. Please see my previous question for details.
I am doing an application (currently command line) which should access Office 365/Exchange through EWS Managed API. The goal is to authenticate through OAuth2.
I have registered an application in Azure AD.
I have used the ClientID from there
I generated an App Secret / Key
I have delegated the "Have full access to a users' mailbox (preview)" permissions to the App.
I am using ADAL to retrieve the Access Token like this:
var authority = "https://login.windows.net/<tenant>"
var authContext = new AuthenticationContext(authority);
var clientCredential = new ClientCredential("<clientId>", "<appKey>");
result = OAuthTokenManager.authContext.AcquireToken("<my ResourceID>", clientCredential);
I do get an access token back. The decoded value is:
{
"typ": "JWT",
"alg": "RS256",
"x5t": "kriMPdmBvx68skT8-mPAB3BseeA"
}.
{
"aud": "<my resource ID>",
"iss": "https://sts.windows.net/2d1f889d-7930-4ef6-9f87-ef096d91ac47/",
"nbf": 1403253608,
"exp": 1403296808,
"sub": "bdb0baf9-29ca-4a43-b9f8-d81ca2ae83bd",
"appid": "<my app ID>",
"oid": "bdb0baf9-29ca-4a43-b9f8-d81ca2ae83bd",
"tid": "2d1f889d-7930-4ef6-9f87-ef096d91ac47",
"idp": "https://sts.windows.net/2d1f889d-7930-4ef6-9f87-ef096d91ac47/"
}.
[signature]
I then use this token to connect to EWS:
var service = new ExchangeService(ExchangeVersion.Exchange2013_SP1);
var credentials = new OAuthCredentials(token);
service.Credentials = credentials;
service.Url = new Uri("https://outlook.office365.com/EWS/Exchange.asmx");
service.ImpersonatedUserId = new ImpersonatedUserId(ConnectingIdType.SmtpAddress, "<smtp address of o365 mailbox>");
Folder inbox = Folder.Bind(service, WellKnownFolderName.Inbox);
The Folder.Bind fails with a 401 error.
In EWS Trace I can see this as the reason:
The audience claim value is invalid <my resource ID>
The resource ID is the "APP-ID-URI" from the registered application.
I'm sure I'm only missing a small details... but I can't find it :)
Any pointers are much appreciated.
If I use https://outlook.office365.com/ as resource ID (aud), I get this error message:
ACS50001: Relying party with identifier 'https://outlook.office365.com/' was not found.
The Tenant does have an Exchange subscription, and it has full access to the mailbox.