Office 365 + OAuth 2.0 + EWS

0 votes
asked Feb 29, 2020 by idblew (220 points)
edited Feb 29, 2020 by idblew

Hi,

Are there any code examples for accessing an Office 365 mailbox using EWS with an OAuth 2.0 token.

Everything is configured correct in Azure AD with regard to creating a RegisteredApp with the correct permissions.

I can obtain a token using Postman (see below), but when I pass the access_token value to EWS.Login(token, EwsAuthentication.OAuth20) I get the error "OAuth token is invalid (invalid_token)".

{
    "token_type": "Bearer",
    "expires_in": "3599",
    "ext_expires_in": "3599",
    "expires_on": "1582880341",
    "not_before": "1582876441",
    "resource": "https://outlook.office365.com",
    "access_token": "eyJ0eXAiOiJKV1QiLCJub25jZSI6Im45dW1aeWl4bmM5RVJyeVpnVnQ1N3JPcTdwcFVLQkRMOTZjaEFSYnpUT0kiLCJhbGciOiJSUzI1NiIsIng1dCI6IkhsQzBSMTJza3hOWjFXUXdtak9GXzZ0X3RERSIsImtpZCI6IkhsQzBSMTJza3hOWjFXUXdtak9GXzZ0X3RERSJ9.eyJhdWQiOiJodHRwczovL291dGxvb2sub2ZmaWNlMzY1LmNvbSIsImlzcyI6Imh0dHBzOi8vc3RzLndpbmRvd3MubmV0LzQzZDQ0YWY5LWRmZjItNGZiOC04OGI0LWU1MGFiM2ExYjQxYS8iLCJpYXQiOjE1ODI4NzY0NDEsIm5iZiI6MTU4Mjg3NjQ0MSwiZXhwIjoxNTgyODgwMzQxLCJhaW8iOiI0Mk5nWUlqN0tKLzd5ckdvZVBwYjJVZHlQOTZMQUFBPSIsImFwcF9kaXNwbGF5bmFtZSI6IkVESSBMZWdhY3kgQXBwIE9BVVRIIiwiYXBwaWQiOiI2YTIxNTUxOC02YjIxLTQ1ZGMtYWJjOC04YzQyMTMzMGRmZTQiLCJhcHBpZGFjciI6IjEiLCJpZHAiOiJodHRwczovL3N0cy53aW5kb3dzLm5ldC80M2Q0NGFmOS1kZmYyLTRmYjgtODhiNC1lNTBhYjNhMWI0MWEvIiwib2lkIjoiMGQ0YjVkNjQtYTg0Ni00YWM3LTgyZjktYmRlMDBlYjhmZjNmIiwicm9sZXMiOlsiTWFpbC5SZWFkV3JpdGUiLCJNYWlsLlJlYWQiLCJNYWlsLlNlbmQiXSwic2lkIjoiNjMwODlkY2UtNDg3MC00MjIyLWFlMzktMGM2ZDg4MDAxMDE3Iiwic3ViIjoiMGQ0YjVkNjQtYTg0Ni00YWM3LTgyZjktYmRlMDBlYjhmZjNmIiwidGlkIjoiNDNkNDRhZjktZGZmMi00ZmI4LTg4YjQtZTUwYWIzYTFiNDFhIiwidXRpIjoiTE44bXhRcGF2a0NsU2FJdjEwNHZBQSIsInZlciI6IjEuMCJ9.YslJwwD1mvhj6UJXAhB4waop80Sx1TrqLNrxLhzf_jiFS8oclEUXx3_Zdvo7dFCL4JRouDHio7jtRRa9Yym329fsOOBU3IxWHfRi6twEWAHab84olBrZrqinGfBtiameECscdRMj9n0kCScUCVdDOHtgIs9QZUxy_EH70HO945PEnZyEx0eIEXNG7HHOFld6plgeD6BmU4dFNvI5UW73TlRSm8PRuFhSGQT1CYjyPeSMqA-u9lGNfNuUFG1eNCGFuTdwyG8d1TLPIuwIeRLhyMVfkFv2JW-mv_0GhtO9R_Q63UmxuYvJfIQT0XHEKQhEsROm-4twaPCjlpx7ZUhQfw"
}

I've also tried programatically to obtain the token using the code below with no success.

AuthenticationContext authContext = new AuthenticationContext(String.Format("https://login.microsoftonline.com/{0}", _tenantId));
ClientCredential clientCredential = new ClientCredential(_clientId, _clientSecret);
AuthenticationResult authResult = authContext.AcquireTokenAsync("https://outlook.office365.com", clientCredential).Result;
EWS.Login(authResult.AccessToken, EwsAuthentication.OAuth20);

Any help greatly appreciated!

Applies to: Rebex Secure Mail
commented Mar 18 by newJoiner (100 points)
hey,
I can see you resolved your own problem :) Would you be able to share how you request a token from EWS using postman?
Thanks!
commented Mar 18 by Lukas Pokorny (124,570 points)
This might not be relevant to Postman, but we now have sample apps that show EWS + OAuth 2.0 flow using custom code (https://github.com/rebexnet/RebexExtras/tree/master/Office365_OAuth2) and using Microsoft.Identity.Client API (https://github.com/rebexnet/RebexExtras/tree/master/Office365_OAuth2_IdentityClient).
commented Mar 18 by idblew (220 points)
Hi Lukas,

The blog article mentioned in both of the above (see below) no longer exists, do you have an updated URL?

https://blog.rebex.net/oauth2-office365-rebex-mail

Thanks
commented Mar 19 by Lukas Pokorny (124,570 points)
Actually, the accompanying article is going to be published next week. I just published the source code few days earlier in hope it would be useful anyway. Sorry for the inconvenience! I'll post an update when the article appears.
commented Mar 19 by newJoiner (100 points)
@Lukas thanks! Ill have a look
commented Mar 24 by Lukas Pokorny (124,570 points)
We just published the blog post as well: https://blog.rebex.net/oauth2-office365-rebex-mail
commented May 17 by Jiří Zídek (210 points)
Would you mind to work out the example that fist server-side usage ? There is no user to do interaction.  Something similar like here: https://www.emailarchitect.net/eagetmail/sdk/html/object_oauth_ews_service.htm

1 Answer

0 votes
answered Mar 2, 2020 by idblew (220 points)
selected Mar 2, 2020 by Lukas Matyska
 
Best answer

Resolved!

Domain Admin had granted the following permission but not granted admin consent.

full_access_as_app
...