Can't authenticate to Skype For Business Online UCWA

1
votes

I'm having trouble authenticating to S4BO. I have registered my app (in azure portal) and it's working correclty with the webSDK demo at https://ucwa.skype.com/websdk The process I follow is the following one:

  1. I do a OAuth link redirect with the following code:

    https://login.microsoftonline.com/common/oauth2/authorize?response_type=code&client_id=xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx&resource=https://webdir.online.lync.com&redirect_uri=http://myurl.dev/skype

  2. Get the auth code that has been returned and use it to generate an access token:

    POST https://login.microsoftonline.com/common/oauth2/authorize?response_type=code&client_id=db01d1f5-f2a3-4d82-b4bc-6b3b4071d7df&resource=https://webdir.online.lync.com&redirect_uri=http://acme.intranet.dev/skype

     grant_type=authorization_code
     code=$thecodehere
     client_id=$clientidhere
     client_secret=$clientsecrethere
     redirect_uri=$sameuriasbefore

  3. After this I have my access token. Now I need my user url. So I do autodiscover

    GET https://lyncdiscover.mydomain.onmicrosoft.com

and I receive a result something like: 

{
"_links": {
    "self": {
      "href": "https://webdir1e.online.lync.com/Autodiscover/AutodiscoverService.svc/root?originalDomain=mydomain.onmicrosoft.com"
    },
    "user": {
      "href": "https://webdir1e.online.lync.com/Autodiscover/AutodiscoverService.svc/root/oauth/user?originalDomain=mydomain.onmicrosoft.com"
    },
    "xframe": {
      "href": "https://webdir1e.online.lync.com/Autodiscover/XFrame/XFrame.html"
    }
  }
}

  1. I try to log in at the user url: 

    GET https://webdir1e.online.lync.com/Autodiscover/AutodiscoverService.svc/root/oauth/user?originalDomain=mydomain.onmicrosoft.com
HEADERS:
Authorization: Bearer + theAccessTokenFromAbove
Referer: https://webdir1e.online.lync.com/Autodiscover/XFrame/XFrame.html

And after this I get 403 Unathorized. Where am I going wrong?

1
skype-for-businessskypedeveloperucwa
It is more complicated than what you have above. You have an access token for the user to O365. You would then need to login in to Skype for Business Online using those credentials and finally get the oauth token that UCWA could use to get authorization past Autodiscovery. - ShelbyZ
Can you tell me or point me to a resource that shows how to do that? I can't for my life figure it out from the documentation they have. - spiroski
Specifically, I'm not sure how to do this in a scenario where my web app server should be able to schedule meetings in the users behalf, even when the user is not logged in to the site ( so I should have access when the user is not on my site). - spiroski

1 Answers

0
votes
  1. Get the auth code that has been returned and use it to generate an access token

On this step as a resource you need to specify resource=https://webdir1e.online.lync.com (notice 1e) to get access to this particular hub.

Actually you will have to authenticate on every new server starting from this point, so on all the webdirXX and then on the webpoolXXXXX.

I wrote a huge interactive article that describes the requests flow in detail (after myself spending a week to reverse engineer how outlook.com does that because MSDN documentation is - at least at the time of writing this - incomplete and incorrect), maybe it can be of use:

If you configure app redirect URL to the article URL (temporarily of course), you can even test the queries right from there.

Additionally, autodiscovery and authentication code "in one piece" can be found on Github (with live demo):