1
votes

Please see edits at the bottom.

I'm trying to work with the Office 365 API using EWS (not the managed API) to create/delete/update events on users' calendars.

So far, I have successfully used Basic Auth to validate that my SOAP request will work. I'm now trying to replace Basic Auth with OAuth 2. I require the use of the Client Credentials Flow.

Here are the steps I followed:

  • Provided admin consent to the application. I launched the following URL in my browser, and provided consent using an admin account.

    https://login.microsoftonline.com/common/oauth2/authorize?
        response_type=code+id_token&
        scope=openid&
        client_id=[Client ID]&
        redirect_uri=http://localhost/myapp/permissions&
        resource=https://outlook.office.com&
        prompt=admin_consent&
        response_mode=form_post&
        nonce=1234
    
  • Upon granting consent, I retrieved the id_token from the response, and decoded it using JWT.io. From the payload, I recorded the tid.

  • Next I retrieved an access token by sending the following request:

    POST https://login.microsoftonline.com/[TID]/oauth2/token HTTP/1.1
    cache-control: no-cache
    Content-Type: application/x-www-form-urlencoded
    Accept: */*
    Host: login.microsoftonline.com
    accept-encoding: gzip, deflate
    Connection: close
    
    client_id=[CLIENT ID]&
    client_secret=[CLIENT SECRET]&
    grant_type=client_credentials&
    resource=https%3A%2F%2Foutlook.office.com
    
  • Using the access token, I sent out the same request as I did using Basic Auth, except I replaced the Basic Auth header with Authorization: Bearer [Access Token]

I received the following error (403 Forbidden): The token contains not enough scope to make this call.

What do I need to do to fix this error?

Edit 1: I added the Use Exchange Web Services with full access to all mailboxes application permission, and sending the SOAP message now results in an 500 Internal Server Error...

1

1 Answers

1
votes

The solution involved the following:

  1. Adding the Use Exchange Web Services with full access to all mailboxes application permission, since EWS doesn't allow the use of more granular permissions.

  2. Adding an ExchangeImpersonation SOAP header for the target mailbox.

  3. Setting the X-AnchorMailbox HTTP header.