My Outlook web add-in is using the Office.context.mailbox.getCallbackTokenAsync method passing 'isRest = true' in options. This is to get an authorized token I can use to make requests to the Outlook REST API. This works fine on Outlook 2019, in OWA and on Office 365 Windows Desktop client, however it does not work for Outlook 2016. Attempting to use the retrieved token against the REST API returns 403 status.
The requirement sets for the add-in API indicate that Windows Outlook 2016 only supports up to version 1.4 (see here), and the support for 'isRest=true' in the getCallBackTokenAsync method is only added in requirement set 1.5.
Given this limitation on Outlook 2016 is there any other way to silently (as in no user interaction via pop-ups etc) get an Outlook REST API token in my web add-in on Outlook 2016?
The REST API endpoint that needs to be contactable is '/v2.0/me/'.
Note the target backend is an Exchange 2016 on premise solution so integrating with Azure isn't an option from what I can tell.
Potential Options Already Considered
- Calling getCallBackTokenAsync and passing isRest on Outlook 2016 looks to return an EWS token - Exchange.Callback.V1. However I cannot use this as the add-in is passing the retrieved token to a server that makes the REST API request and that server cannot be changed to also support the EWS token without a much longer turnaround than if I can modify the add-in code instead.
- I looked at taking the relevant isRest code from outlook-win32-16.02.js to make the call myself. I got as far as executing the token call against window.external but while this works on Outlook 365 it doesn't successfully return on Outlook 2016 so I'm assuming it that the underlying client does not support the operation rather than just the office.js library not having it exposed.
window.external.Execute(12, [JSON.stringify({"isRest" : true, "itemNumber": "1"})], function(result){console.log('Result is: ' + JSON.stringify(result));});
- Considered overriding the request to the server made by a getCallbackToken call for EWS token and modifying the XML body to the REST token retrieval equivalent however overriding XMLHttpRequest.send only had an impact in OWA. That does not seem to be used in the Outlook desktop client to issue the EWS call to retrieve the token.
- Currently I'm looking at whether I can make a GetClientAccessToken call to the Exchange server manually (the office.js makeEwsRequestAsync method does not support this call), however I can't see a way to get a valid authentication header for the request and the Id and ParentItemId properties that need to be passed on request body. The EWS token from getCallbackToken is not authorized to perform a GetClientAccessToken call.
