I'm trying to log onto Office 365 Exchange Online using OAuth and EWS Managed API.
I am able to use connect to the Office 365 Web API's (REST), so I do have a valid Token from the Active Directory Authentication Library (ADAL).
Now, I'm trying to connect using EWS and TokenCredentials.
The code is pretty easy, I think:
public static ExchangeService ConnectToServiceWithImpersonation(string token)
{
var service = new ExchangeService(ExchangeVersion.Exchange2013_SP1);
if (true)
{
service.TraceListener = new TraceListener();
service.TraceFlags = TraceFlags.All;
service.TraceEnabled = true;
}
var credentials = new TokenCredentials(token);
service.Credentials = credentials;
service.Url = new Uri("https://outlook.office365.com/EWS/Exchange.asmx");
return service;
}
The token is generated by ADAL, which in turn is from sample code using the "Office 365 API Tools - Preview"
// Obtain information for communicating with the service:
Office365ServiceInfo serviceInfo = Office365ServiceInfo.GetExchangeServiceInfo();
if (!serviceInfo.HasValidAccessToken)
{
return Redirect(serviceInfo.GetAuthorizationUrl(Request.Url));
}
// Connect to Exchange
var service = ConnectToServiceWithImpersonation(serviceInfo.AccessToken);
Folder inbox = Folder.Bind(service, WellKnownFolderName.Inbox);
On the Folder.Bind call, I get a 401 Unauthorized error. EWS Trace gives me this:
2014-04-06 12:06:39.2012 TRACE ExchangeWebServices: EwsResponseHttpHeaders -> <Trace Tag="EwsResponseHttpHeaders" Tid="11" Time="2014-04-06 10:06:39Z">
HTTP/1.1 401 Unauthorized
request-id: 01ba1ca9-2850-480a-9d65-ec55bfef8657
X-CasErrorCode: BadSamlToken
X-FEServer: AMSPR04CA018
Content-Length: 0
Cache-Control: private
Date: Sun, 06 Apr 2014 10:06:39 GMT
Server: Microsoft-IIS/7.5
WWW-Authenticate: Basic Realm=""
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
Unfortunately, hours of googling did not really help, there does not seem to be very much specific information about EWS and OAuth authentication, and I have no idea how to further troubleshoot it, so I'm hoping that anyone has some advice on how to get it working.
TokenCredentials is not the right class to use in this example. Like Jason mentioned put in place for other reasons. As a note and to clarify using this and/or SAML tokens will not work in Exchange Online with EWS. Only OAuth based access is supported. To make this work we put a OAuthCredentials class in EWS Managed API. In your code you can "var credentials = new OAuthCredentials(token)". Be aware that EWS Soap only supports full "user_impersonation" / "full access to the users mailbox" rights. Granular permission such as Calendar.Read are only available with EWS Rest APIs. While "Full mailbox access" requires an admin to consent, admins from other tenants can consent as it is a web app. In case you want to develop a native app, the app has to be directly registered in the app of the tenant it runs in order to use "Full mailbox access".
You can use OAuth to connect to EWS (as opposed to REST), however, it's not as smooth. EWS requires the special "Have full access to a user's mailbox" delegated permission in Azure Active Directory, which requires an administrator to register it. This permission also doesn't "travel" outside the organization, so there is no user-consent scenario for EWS. Essentially, the only scenario that this works for is an administrator registering the application for your own organization.
Check your app registration in Azure and make sure you have that permission assigned.
Assuming that you have the permission assigned, I've made this work in two ways.
The simplest: Just add the token you get back to the request headers in an Authorization header, like so:
You can use saml if from a certified domain of the aad, and you swap that token using the ms online sts. I did this, and its trivial to find my writeups on the web.
Interested to dump it all and now use an aad issue access token.
The older model is cute in some ways, as you are not tied to aad oauth, for your own app, only becoming tied to aad land when talking to microsoft properties. If one has, with openid connect, a vendor mobile token (a tgt, in all but name), perhaps i can live with some codependence.
So i have an aad (netmagic.onmicrosoft.com), with certified domain registration (rapmlsqa.com). Do i go make a webapi class app in aad, assign THAT the office permissions?