calling microsoft graph api via another rest service

1
votes

Good day!

We need a calendar facility for the project that we're working in right now. For some reason, we are limited to using the Office 365 calendar or the outlook calendar. We stumbled upon the Microsoft Graph APIs which seems to be the right tool to fulfill what we want to do. So the idea is to create a Microsoft account which will be used as the main calendar where our wrapper(wrap the microsoft graph API calls) API can pull events from and eventually disseminate to client requests.

So here is what we've done so far:

  1. Created a Microsoft account with the domain of @outlook.com
  2. Plotted some calendar events using the said Microsoft account
  3. Tried to follow this guide from the Microsoft site.

We agreed to create a wrapper API which will call the Microsoft Graph APIs but before this we tried to access the said APIs via postman. The problem is that postman cannot get any response from the endpoint of the /authorize API which is need to gain an access token to finally call the respective Microsoft graph APIs.

Now we do not know if we are trying to attack this wrongly or whatever. Do you have any idea what we are missing here? Thanks in advance and I hope someone can shed light in this matter.

UPDATE:

We were able to have some progress. After some time, we bumped in the azure active directory portal. We are now able to get an access token using this URL.

https://login.microsoftonline.com/<directory-id>/oauth2/token

Now when we are accessing the actual MS Graph API endpoint that we are supposed to call, we are receiving a 401 Unauthorized response even though we are using the obtained token from the previous API call. This is the URL that we are trying to get a response:

https://graph.microsoft.com/v1.0/me/calendar/calendarView?startDateTime=2018-08-01T00:00:00.0000000&endDateTime=2018-08-31T23:59:59.0000000

This is all being done via postman first.

UPDATE:

We tried to grant every permission possible in the Azure Active Directory portal and confirmed the consent at

https://login.microsoftonline.com/<domain>.onmicrosoft.com/adminconsent?client_id=<client-id>

but unfortunately we're still hitting the 401 Unauthorized wall. In Microsoft Graph Explorer, everything is working fine. So what could be missing in our postman implementation that MS Graph Explorer is doing implicitly? Thanks in advance for any help!

UPDATE

After further reading, we've found out some important details. First, we've found out that there are two sets of APIs from Microsoft. One is the Azure Active Directory API and the other is the Microsoft Graph API. Both APIs use the same URL to get access tokens by using client credentials. Below is the URL:

https://login.microsoftonline.com/<directory-id>/oauth2/v2.0/token

Substitute the with your personal data from azure portal. Using this URL to get an access token, you need to supply some data in the request body.

  1. client_id - client id of registered application in azure portal
  2. client_secret - secret key of registered application in azure portal
  3. grant_type - 'client_credentials' --> meaning you'll get an access token by using client credentials
  4. scope - 'https://graph.microsoft.com/.default' or 'https://graph.windows.net/.default' --> this controls which API are you going to access. The first one is to access Microsoft Graph API and the other is to access Azure Active Directory API.

We are now able to get an access token and use it to access the actual API that we need. Below is the URL of the said API:

https://graph.microsoft.com/v1.0/users/<azure-tenant-name>.onmicrosoft.com/calendar/calendarView?startDateTime=2018-08-01T00:00:00.0000000&endDateTime=2018-08-31T23:59:59.0000000

Notice that the URL does not use /me because upon reading using it required a signed in user. Unfortunately we are still getting the 401 Unauthorized error but the errors did change now. We are getting to errors intermittently. Sometimes the API call would return one or the other alternately. Below are the return of the API calls.

{
    "error": {
        "code": "InvalidTenant",
        "message": "The tenant for tenant guid '<directory-id-goes-here>' does not exist.",
        "innerError": {
            "request-id": "<some-request-id>",
            "date": "2018-08-22T04:29:27"
        }
    }
}

{
    "error": {
        "code": "UnknownError",
        "message": "",
        "innerError": {
            "request-id": "<some-request-id>",
            "date": "2018-08-22T04:54:11"
        }
    }
}

We feel we've moved a step forward. We're still not getting what we need though. Now the mystery are these 2 API call responses. What could be the reason of this? Thanks in advance for anybody's help

UPDATE

Upon even further reading we've discovered that there are authentication flows to get an access token. Depending on the API that you want to call, some authentication flows will not work on it because they need more details and security to execute themselves. So we've tried:

  1. Client Credential Grant
  2. Resource Owner Credential Grant
  3. Authorize Code Grant

But still, unfortunately, we are still stuck in the previous error. We are getting 401 Unauthorized and the response payload is either InvalidTenant or UnknownError.

1
azurepostmanmicrosoft-graph-apioffice365apiazure-ad-graph-api
There isn't enough information here to go on. Please include some sample code that shows what you're doing (i.e. what you're posting to the /authorize endpoint).Marc LaFleur
@MarcLaFleur I updated the post sir. We are still not starting any codes yet and we are first trying to make it work via postman.Oneb
401 suggests that your access token doesnt have the right scopes for that call (i think). Use jwt.io to check the token and look in the scopes list. You might not have the correct ones.Chris Johnson
@ChrisJohnson Hi sir. upon inspecting the token we are able to get the Calendars.Read and Calendars.ReadWrite under roles. In the documentation, it is said that these are the required permissions.Oneb
@MarcLaFleur Hi sir, I've updated my post maybe you can now shed some light regarding our problem. Appreciate the help! :)Oneb

1 Answers

1
votes

I just went through a similar problem yesterday, the 401 Unauthorized error.

I was trying to access the calendar of an employee via Microsoft's Graph API, but I was receiving the same response as you.

Resquest:

https://graph.microsoft.com/v1.0/users/employee-email/calendarview?startdatetime=2018-10-21T00:00:00Z&enddatetime=2018-10-27T23:59:59Z&$select=subject,categories,start,end,sensitivity

Response:

{
    "error": {
        "code": "UnknownError",
        "message": "",
        "innerError": {
            "request-id": "<request-id>",
            "date": "<date>"
        }
    }
}

Then I decided to check if had the Office 365. He didn't. I'm just a developer, so I ask the guys from infrastructure to install Office 365 on the empleyee's machine, or add him to an enterprice account, or something like that.

After they finished, the requests to his calendar worked just fine :)