Search code examples
azureoauthoutlookexchangewebservices

Facing "The token contains no permissions, or permissions can not be understood." issue in EWS with Oauth

We have requirement in which we need to add appointment to user outlook account on behalf of that user using delegate access. All mails are in same domain or same network. We are trying this by using Oauth with office365, by creating Azure application and providing application level "calendar read and write" delegate permission. I have referred https://blogs.msdn.microsoft.com/exchangedev/2015/01/21/building-daemon-or-service-apps-with-office-365-mail-calendar-and-contacts-apis-oauth2-client-credential-flow/ article to setup azure application, which will provide me a access token. While fetching access token I have used following code 

 private static string GetTokenUsingCertificate()
    {
        string authority = string.Format("https://login.windows.net/{0}/oauth2/authorize", tenantID); ;
        string outlookUri = "https://outlook.office365.com/";
        var authenticationContext = new AuthenticationContext(authority, false);
        var clientCertificate = new ClientAssertionCertificate(clientId, GetClientCertificate());
        AuthenticationResult authenticationResult = null;
        try
        {

            authenticationResult = authenticationContext.AcquireTokenAsync(outlookUri, clientCertificate).Result;
        }
        catch (Exception ex)
        {
            Console.WriteLine(ex.Message);
        }

        return authenticationResult?.AccessToken;
    }

above function is providing me access token but when I try to add appointment to user outlook calendar using Exchnage Service, I am getting "The token contains no permissions, or permissions can not be understood." exception. While adding appointment I am using following code

private void AddAppointment()
    {
        ExchangeService exchangeService = new ExchangeService();
            exchangeService.Credentials = new OAuthCredentials(accessToken);
        exchangeService.Url = new Uri("https://outlook.office365.com/EWS/Exchange.asmx");
        Appointment appointment = new Appointment(service)
        {
            Subject = "EWS OAuth: Appointment 2",
            Body = "EWS OAuth Auth: Body",
            Start = DateTime.Now.AddMinutes(10)
        };
        appointment.Save(
                             new FolderId(WellKnownFolderName.Calendar, new Mailbox("mail@outlook.com/")), 
                             SendInvitationsMode.SendToNone);
    }

Please help me to resolve this issue.

Blockquote

Solution

  • EWS doesn't allow the same level of OAuth permissions scope (or permission restriction) that the REST API allows for which is one of the big benefit of using REST vs EWS. If you have Office365 why are trying to use EWS over REST ?

    To answer the question you will need

    OAuth authentication for EWS is only available in Exchange as part of Office 365. EWS applications require the "Full access to user's mailbox" permission.

    as per https://msdn.microsoft.com/en-us/library/office/dn903761%28v=exchg.150%29.aspx .