2
votes

I've been using curl and the Outlook REST API v1.0 (with basic authentication) to create calendar events in Outlook calendars. Basic authentication is soon being deprecated so I am now trying to migrate to Microsoft Graph v1.0 with OAuth 2. I have got some way down the road but am stuck at "ErrorAccessDenied" when running the POST to create the event. This is what I've done so far:

  1. Registered my app (curl) here: https://apps.dev.microsoft.com/#/appList, setting Application Permissions to Calendars.ReadWrite (and, for good measure, Delegated Permissions to Calendars.ReadWrite as well.)

  2. Using the client/application ID and client secret/password from step 1 above, I can get an access token using this command:

curl -X POST -k -d "grant_type=client_credentials&client_id=[ApplicationID]&client_secret=[Password]&resource=https%3A%2F%2Fgraph.microsoft.com%2F" https://login.microsoftonline.com/[TenantID]/oauth2/token

  1. I then try to create an event using the following command but get the ErrorAccessDenied error below:

curl.exe -k -o "C:\Temp\output.txt" -X POST -H "Content-Type:application/json" -H "Authorization: Bearer [TOKEN]" -d @"C:\Temp\eventDetails.json" https://graph.microsoft.com/v1.0/users/[UserPrincipalName]/calendars/[CalendarID]/events?$select=Id,lastModifiedDateTime

{ "error": { "code": "ErrorAccessDenied", "message": "Access is denied. Check credentials and try again.", "innerError": { "request-id": "38b802b9-08b9-4e0b-8f91-66ef56c459f8", "date": "2018-10-17T01:08:22" } } }

Beyond setting the registered app's Application Permissions to Calendars.ReadWrite (step 1 above) I'm at a loss on how to allow access. Any help would be greatly appreciated.

Thank you.

1
As my understand, we could not create a event for a user, just for own only.Keen Jin
This question isn't specific to curl, so I would remove that tag.Stephan

1 Answers

1
votes

What helped me greatly is inspecting the token with a JWT inspecting website, like JWT.ms. This website will explain all the details to you about the token (it is build by Microsoft, the token only gets parsed by javascript and isn't transmitted). This website also has a Claims tab, where they explain all the claims in the token.

You're talking about application permissions, that requires an extra step. It also has to be consented by an Azure AD Administrator for the directory you want to access.

You can build this into the sign-in flow, but the easiest way is through the Azure Portal.

  1. Go to https://portal.azure.com -> Azure Active Directory -> [AD Name] - App registrations
  2. Find the app you want to grant access to.
  3. Click Settings
  4. Click Required Permissions
  5. Click Grant Permissions

What this does is creating an application account in your tenant, with the permissions you requested.

After these steps you should create a new token and compare it to the token you got the first time, and you should be able to see the changes.