Outlook REST API call ends with 403 response code when auth with callback token from OfficeJs on Android

Question

To download an Exchange item on our backend, in Office cloud AddIn we call OfficeJs getCallbackTokenAsync which provides scoped token. Then on the backend with the token, we download an item via Outlook REST/EWS API (o365).

Recently we faced the following issue - some customers on Android get 403 response code when we try to download it via REST API but some of them work fine. After investigation, I found this:

on Android with Outlook version 4.2108.3 (42108814), the callback token payload is

{
  "nameid": "ddb00a58-4ace-4bbd-880b-ce841b0ae55d@848c5ff4-6a22-405e-a845-732e98511fdd",
  "ver": "Exchange.Callback.V1",
  "appctxsender": "https://my-host-for.addin.something/main.html?parameter=some@848c5ff4-6a22-405e-a845-732e98511fdd",
  "issring": "WW",
  "appctx": "{\"oid\":\"dc3f8f9a-c0f8-4243-9a8c-ccf89099cd2b\",\"smtp\":\"[email protected]\",\"upn\":\"[email protected]\",\"scope\":\"AAkALgAAAAAAHYQDEapmEc2byACqAC-EWg0Aabol7TmVQkmDNhnSdkE8jAAAiPSJTAAA\"}",
  "nbf": 1616074356,
  "exp": 1616074656,
  "iss": "00000002-0000-0ff1-ce00-000000000000@848c5ff4-6a22-405e-a845-732e98511fdd",
  "aud": "00000002-0000-0ff1-ce00-000000000000/outlook.office365.com@848c5ff4-6a22-405e-a845-732e98511fdd",
  "happ": "OutlookService"
}

On iOS with Outlook version 4.2109.0 the callback token is

{
  "nameid": "ddb00a58-4ace-4bbd-880b-ce841b0ae55d@848c5ff4-6a22-405e-a845-732e98511fdd",
  "ver": "Exchange.Callback.V1",
  "appctxsender": "https://my-host-for.addin.something/main.html?parameter=some@848c5ff4-6a22-405e-a845-732e98511fdd",
  "issring": "WW",
  "appctx": "{\"oid\":\"dc3f8f9a-c0f8-4243-9a8c-ccf89099cd2b\",\"smtp\":\"[email protected]\",\"upn\":\"[email protected]\",\"scope\":\"ParentItemId:AAkALgAAAAAAHYQDEapmEc2byACqAC-EWg0Aabol7TmVQkmDNhnSdkE8jAAAiPSJTAAA\"}",
  "nbf": 1616076538,
  "exp": 1616076838,
  "iss": "00000002-0000-0ff1-ce00-000000000000@848c5ff4-6a22-405e-a845-732e98511fdd",
  "aud": "00000002-0000-0ff1-ce00-000000000000/outlook.office365.com@848c5ff4-6a22-405e-a845-732e98511fdd",
  "happ": "API"
}

On Android with Outlook version 4.2108.3 (32108814) the callback token is

{
  "nameid": "ddb00a58-4ace-4bbd-880b-ce841b0ae55d@848c5ff4-6a22-405e-a845-732e98511fdd",
  "ver": "Exchange.Callback.V1",
  "appctxsender": "https://my-host-for.addin.something/main.html?parameter=some@848c5ff4-6a22-405e-a845-732e98511fdd",
  "issring": "WW",
  "appctx": "{\"oid\":\"dc3f8f9a-c0f8-4243-9a8c-ccf89099cd2b\",\"smtp\":\"[email protected]\",\"upn\":\"[email protected]\",\"scope\":\"ParentItemId:AAkALgAAAAAAHYQDEapmEc2byACqAC-EWg0Aabol7TmVQkmDNhnSdkE8jAAAiPSJTAAA\"}",
  "nbf": 1616077603,
  "exp": 1616077903,
  "iss": "00000002-0000-0ff1-ce00-000000000000@848c5ff4-6a22-405e-a845-732e98511fdd",
  "aud": "00000002-0000-0ff1-ce00-000000000000/outlook.office365.com@848c5ff4-6a22-405e-a845-732e98511fdd",
  "happ": "API"
}

For Android client with version 4.2108.3 (32108814) and iOS client with version 4.2109.0 REST API works fine, but for Android client, with version 4.2108.3 (42108814) it returns 403 response.

It's easy to see the first token appctx doesn't contain ParentItemId: in the scope property. Looks like it is the root cause.

We updated Android client from 4.2108.3 (32108814) which worked to 4.2109.2 (32109815) and it stopped work also.

Is it a regress in MS Outlook for Android? Is there a way to fix it on our side?

Here is failed response headers

X-CalculatedFETarget: SJ0PR05CU007.internal.outlook.com
X-BackEndHttpStatus: 403;403
X-FEProxyInfo: SJ0PR05CA0185.NAMPRD05.PROD.OUTLOOK.COM
X-CalculatedBETarget: BYAPR01MB5208.prod.exchangelabs.com
X-RUM-Validated: 1
X-BeSku: WCS5
x-ms-appId: ddb00a58-4ace-4bbd-880b-ce841b0ae55d
Rate-Limit-Limit: 10000
Rate-Limit-Remaining: 10000
Rate-Limit-Reset: 2021-03-18T15:11:33.140Z
x-ms-diagnostics: 2000008;reason="The callback token's protocol claim value '{0}' doesn't match the current requested protocol.";error_category="invalid_grant"
OData-Version: 4.0
X-DiagInfo: BYAPR01MB5208
X-BEServer: BYAPR01MB5208
X-Proxy-RoutingCorrectness: 1
X-Proxy-BackendServerStatus: 403
X-FEServer: SJ0PR05CA0185;SA0PR11CA0029
Cache-Control: private
Date: Thu, 18 Mar 2021 15:11:32 GMT
Server: Microsoft-IIS/10.0
WWW-Authenticate: Bearer client_id="00000002-0000-0ff1-ce00-000000000000", trusted_issuers="00000001-0000-0000-c000-000000000000@*", token_types="app_asserted_user_v1 service_asserted_app_v1", error="invalid_token"
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET

This appears to be a bug in Android. Thanks for reporting this issue regarding getCallbackTokenAsync. It has been put on our backlog. We, unfortunately, have no timelines to share at this point. Please follow this thread github.com/OfficeDev/office-js/issues/1737 for updates on the fix. — Outlook Add-ins Team - MSFT

davyar davyar · Accepted Answer · 2021-03-25T02:47:01

You will need to elevate the required permissions in order to continue to use thier route. Previously it required ReadWriteItem. You now require ReadWriteMailbox. In the Add-in, the xml manifiest file outlines this permission.

<OfficeApp ...>
...
   <Permissions>ReadWriteMailbox</Permissions>
...
</OfficeApp>

Unfortunately I can find no correspondence from Microsoft regarding this recent change that seems to be an issue that was introduced a little over a week ago (16th March 2021). Not sure if it's a regression, but it is a change.

Outlook REST API call ends with 403 response code when auth with callback token from OfficeJs on Android

1 Answers