EWS API to access Office365 with oAuth2

0
votes

We have a Daemon application that uses the EWS API to access office365/Exchange server with basic authentication. I am trying to implement the Oauth2. There are a lot of documents. However, they are often out of date and caused more confusion. I followed this document https://docs.microsoft.com/en-us/azure/active-directory/develop/scenario-daemon-overview, which seems up-to-date. I did the following steps:

Register App

Document: https://docs.microsoft.com/en-us/azure/active-directory/develop/scenario-daemon-app-registration - Registered a secret with application password in Azure AD, i.e. certificate is used. The generated secret is recorded. - selected the “Accounts in this organizational directory only”.
- Requested API Permission for Application permissions for Exchange full_access_as_app and Mail.Read. Admin consent is granted.

Get Token

Document: https://docs.microsoft.com/en-us/azure/active-directory/develop/scenario-daemon-acquire-token?tabs=java I prototyped to use Protocol to get token

 POST /{tenant}/oauth2/v2.0/token HTTP/1.1           
 Host: login.microsoftonline.com
 Content-Type: application/x-www-form-urlencoded

 client_id={myAppClientId}
 &scope=https%3A%2F%2Fgraph.microsoft.com%2F.default
 &client_secret={myAppSecret}
 &grant_type=client_credentials

I got token with 

{
"token_type": "Bearer",
"expires_in": 3599,
"ext_expires_in": 3599,
"access_token": "……thetoken…"

}

Call EWS API in my App

My App works with the Basic Authentication. I modified it by adding the Authorization header ("Authorization", "Bearer " + accessToken); Basially the prepareWebRequest() function is overriden by adding the Authorization header. Compared with a Basic Authentication case, the request has the additional Authorization header with the Bearer token.

For the same EWS API call that the Basic Authorization had worked, the response is 401 with x-ms-diagnostics 2000003;reason="The audience claim value is invalid for current resource. Audience claim is 'https://graph.microsoft.com', request url is 'https://outlook.office365.com/EWS/Exchange.asmx' and resource type is 'Exchange'.";error_category="invalid_resource"

Researched in stackoverflow, people suggested to use the following as scope value to get token in step 2: https://outlook.office365.com/full_access_as_app https://outlook.office.com/Mail.Read I tried and both returned “invalid_scope” error. It seems both worked before but not anymore. Following the working scope value format, I tried to use https://outlook.office.com/.default as scope value. I was able to get a token! However, when I use this token in EWS API to access the mailbox, I got 500 error instead of the 401.
What are the right things to do to make it work? What is the right Scope to access an office365 mail box?

More Code Snippets

This is a new class added for oauth2

package microsoft.exchange.webservices.data;
import java.util.Map;
public final class BearerTokenCredentials extends ExchangeCredentials {

private static final String BEARER_TOKEN_FORMAT_REGEX = "^[-._~+/A-Za-z0-9]+=*$";
private static final String AUTHORIZATION = "Authorization";
private static final String BEARER_AUTH_PREAMBLE = "Bearer ";
private String token;
public String getToken() {
    return token;
}
public BearerTokenCredentials(String bearerToken) {
    if (bearerToken == null) {
        throw new IllegalArgumentException("Bearer token can not be null");
    }
    this.validateToken(bearerToken);
    this.token = bearerToken;
}
protected void validateToken(String bearerToken) throws IllegalArgumentException {
    if (!bearerToken.matches(BEARER_TOKEN_FORMAT_REGEX)) {
        throw new IllegalArgumentException("Bearer token format is invalid.");
    }
}
@Override
public void prepareWebRequest(HttpWebRequest request) {
    Map<String, String> headersMap = request.getHeaders();
    String bearerValue = BEARER_AUTH_PREAMBLE + token;
    headersMap.put(AUTHORIZATION, bearerValue);
    //headersMap.put("X-AnchorMailbox","[email protected]");
    request.setHeaders(headersMap);
}

}

Use the token to acceess EWS/Exchange ews-java-api 2.0-patched

ExchangeService service  = new 
ExchangeService(ExchangeVersion.Exchange2010_SP2); //version is 
Exchange2010_SP2
service.setTraceEnabled(true);
BearerTokenCredentials credentials = new BearerTokenCredentials("thetoken");
service.setCredentials(credentials);
service.setUrl(new 
URI(host));//https://outloook.office365.com/EWS/Exchange.asmx
try{
Folder.bind(service, WellKnownFolderName.Inbox); 
}catch(Exception e)
{
//The remote server returned an error: (500)Internal Server Error
}
1
javaazureoauth-2.0exchangewebservices
https://outlook.office.com/.default should be the correct value for "scope" for v2.0 token endpoint. I can access 'outlook.office365.com/EWS/Exchange.asmx' with the Authorization header "Bearer {access token}". Please add more code about which endpoint you are calling.Allen Wu
@AllenWu Thanks a lot. I added "More Code Snippets"Lin Chen

1 Answers

0
votes

The code you use to connect to the Office365 Mailbox still needs to use EWS Impersonation eg

service.ImpersonatedUserId = new ImpersonatedUserId(ConnectingIdType.SmtpAddress, mailboxName);

Where MailboxName is the Mailbox you want to connect to.