Search code examples
oauthexchangewebservicesexchange-basicauth

EWS Authentication: Service Account credentials to OAuth

Today we have an application to sync appointments to Exchange. We have several customers using different versions of Exchange, i.e: Exchange 2010, o365. Each customer have created a Service Account with impersonation rights that we use for authentication. An example:

var credentials = new WebCredentials(serviceAccount.username, serviceAccount.password);
var service = new ExchangeService
{
   Credentials = credentials,
   Url = new Uri(exchangeUri)
}
service.ImpersonatedUserId = new ImpersonatedUserId(ConnectingIdType.SmtpAddress, email);

So this method will not work anymore from October 13 2020, and we will have to use OAuth instead. I have read the MS documentation "Authenticate an EWS application by using OAuth": https://learn.microsoft.com/en-us/exchange/client-developer/exchange-web-services/how-to-authenticate-an-ews-application-by-using-oauth

I have registered my application in Azure AD, and got an Application Id. I guess I am supposed to use "Application permissions", and following code to get the token:

// Configure the MSAL client to get tokens
var app = ConfidentialClientApplicationBuilder
    .Create(ConfigurationManager.AppSettings["appId"])
    .WithAuthority(AzureCloudInstance.AzurePublic, ConfigurationManager.AppSettings["tenantId"])
    .WithClientSecret(ConfigurationManager.AppSettings["clientSecret"]).Build();

// The permission scope required for EWS access
var ewsScopes = new string[] { "https://outlook.office.com/.default" };

//Make the toekn request
AuthenticationResult authResult = await app.AcquireTokenForClient(ewsScopes).ExecuteAsync();

My questions:

  1. Is this the "correct" approach for me, or am I missing anything?
  2. Will current authentication still work for on premise servers (after October 13 2020)?
  3. Does OAuth authentication work for Exchange 2010?
  4. If so, how does our customers get the tentantId (I know where to find it for o365).
  5. What is TTL for the token?

Any help/suggestions are greatly appreciated.

Solution
    1. Yes the only thing that look to be missing is the X-MailboxAnchor header (you should be doing this also with Basic Auth)
    2. Yes OnPrem is unaffected by the changes being made in Office365
    3. No, OAuth will only work OnPrem for those that have configured Hybrid Modern Authentication see https://learn.microsoft.com/en-us/office365/enterprise/hybrid-modern-auth-overview (with Exchange there are certain CU requirements for 2013 and 2016). I would also suggest you read https://practical365.com/exchange-server/configure-hybrid-modern-authentication-for-exchange-server/
    4. TTL for an Access token is 60 minutes, if your application is going to be using the token for a long period of time one of weaknesses of the EWS Managed API is that it doesn't have a callback/event where you can check for Token expiration when it makes a server request. So you need to consider this in your code logic either by adding you own validation before any service calls, or look at modifying the github source and adding you own logic in the underlying code.