oauthexchangewebservices
Problem with EWS functions having converted authentication to oAuth
I am converting some old code that was using basic authentication to use oAuth. The authentication seems to be working fine but then functions that were working are now failing
Dim mySession As New ExchangeService(ExchangeVersion.Exchange2016)
Dim cca = ConfidentialClientApplicationBuilder.Create(EWSClientId).WithClientSecret(EWSClientSecret).WithTenantId(EWSTenantId).Build
Dim authResult = Await cca.AcquireTokenForClient(EWSScopes).ExecuteAsync()
mySession.Credentials = New OAuthCredentials(authResult.AccessToken)
mySession.TraceListener = New TraceListener
mySession.TraceFlags = TraceFlags.All
mySession.TraceEnabled = True
mySession.ImpersonatedUserId = New ImpersonatedUserId(ConnectingIdType.SmtpAddress, EmailAddressToScan)
Try
mySession.AutodiscoverUrl(EmailAddressToScan, AddressOf RedirectionCallback)
Catch ex As Exception
mySession.Url = New Uri(EWSServerName)
End Try
Dim rootfolder As Folder = Folder.Bind(mySession, WellKnownFolderName.MsgFolderRoot)
EWSScopes is https://outlook.office365.com/.default
EWSServerName is https://outlook.office365.com/ews/exchange.asmx
EmailAddressToScan is [email protected]
EWSClientId, EWSClientSecret and EWSTenantId contain the appropriate values
Authentication appears to work and I am seeing the token in the heading calls but the AutodiscoverUrl and Folder calls both fail. Other than adding the impersonation line the code worked with basic authentication.
For AutodiscoverUrl I get an error of "The Autodiscover service couldn't be located".
I have headers of:
<Trace Tag="AutodiscoverRequestHttpHeaders" Tid="12" Time="2022-09-20 01:54:40Z">
POST /autodiscover/autodiscover.svc HTTP/1.1
Content-Type: text/xml; charset=utf-8
Accept: text/xml
User-Agent: ExchangeServicesClient/2.2.1.0
Authorization: Bearer eyJ0eXAiOiJKV1QiLCJub25jZSI6ImdXQ2g4b0hiQXRmdUM2bVJUSkh2YWZhdmIwUVRsQTFxbURyeHlaQmpvZ3ciLCJhbGciOiJSUzI1NiIsIng1dCI6IjJaUXBKM1VwYmpBWVhZR2FYRUpsOGxWMFRPSSIsImtpZCI6IjJaUXBKM1VwYmpBWVhZR2FYRUpsOGxWMFRPSSJ9.eyJhdWQiOiJodHRwczovL291dGxvb2sub2ZmaWNlMzY1LmNvbSIsImlzcyI6Imh0dHBzOi8vc3RzLndpbmRvd3MubmV0LzgyYjNlMzdlLTgxNzEtNDg1ZC1iMTBiLTM4ZGFlN2VkMTRhOC8iLCJpYXQiOjE2NjM2Mzg1NTcsIm5iZiI6MTY2MzYzODU1NywiZXhwIjoxNjYzNjQyNDU3LCJhaW8iOiJFMlpnWUZoeW42SEEvTkxQT05XUElVdW1XUXFsQXdBPSIsImFwcF9kaXNwbGF5bmFtZSI6IkVYTy1UUklNU2VydmljZUFjY291bnRzIiwiYXBwaWQiOiIxNWFiNTRmYy04OTk2LTRkZGMtOGY2MS03ZWYxYTMxOTQ3MTMiLCJhcHBpZGFjciI6IjEiLCJpZHAiOiJodHRwczovL3N0cy53aW5kb3dzLm5ldC84MmIzZTM3ZS04MTcxLTQ4NWQtYjEwYi0zOGRhZTdlZDE0YTgvIiwib2lkIjoiYzI2YjM1MTEtZGI4Yy00OWIxLWIzMWMtZDYyN2RmMzdkYzgyIiwicmgiOiIwLkFVRUFmdU96Z25HQlhVaXhDemphNS0wVXFBSUFBQUFBQVBFUHpnQUFBQUFBQUFCQkFBQS4iLCJzaWQiOiJmNjY5NzlkMC0yMmI3LTRhNDYtOTVhYi1hODY0ZWU0NDEwODYiLCJzdWIiOiJjMjZiMzUxMS1kYjhjLTQ5YjEtYjMxYy1kNjI3ZGYzN2RjODIiLCJ0aWQiOiI4MmIzZTM3ZS04MTcxLTQ4NWQtYjEwYi0zOGRhZTdlZDE0YTgiLCJ1dGkiOiJmNUtuX3NUcWxrNnNoMWFUenBRREFBIiwidmVyIjoiMS4wIiwid2lkcyI6WyIwOTk3YTFkMC0wZDFkLTRhY2ItYjQwOC1kNWNhNzMxMjFlOTAiXX0.kl-Hl8HJ19rgeZGGXYaW8FrOOyt9xSuX2GXXERN9TFVkG0wttJacXYDC5fvGnWmQg86ACAPBReiT9zvX7xguNKPJdelhpwACMO4os3mB3GsjVmqqk3mAIXHZ0_75U77ReUEmvH_u1scppUlXnt-aM_yCLALp2NIkyqpE8BV3LTMNwoRsls5ya7M7i0HsIOBoezLScCAFDJy8WEfBi_yJjwOUEQdDLi0NEHs3qU9KA3t9KIDJTt4ZxlieO92mSr5OWJlgLGwFzqlxq-r5-rm1Z1fjDWJAq9IYvkqnB-BP-lpds1HX1LnuAS5_TtPRDAALJfskkwp5KdPj0uq9CKvT6g
</Trace>
The body is:
<Trace Tag="AutodiscoverRequest" Tid="12" Time="2022-09-20 01:54:40Z" Version="2.2.1.0">
<?xml version="1.0" encoding="utf-8"?>
<soap:Envelope xmlns:a="http://schemas.microsoft.com/exchange/2010/Autodiscover" xmlns:wsa="http://www.w3.org/2005/08/addressing" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
<soap:Header>
<a:RequestedServerVersion>Exchange2013_SP1</a:RequestedServerVersion>
<wsa:Action>http://schemas.microsoft.com/exchange/2010/Autodiscover/Autodiscover/GetUserSettings</wsa:Action>
<wsa:To>https://email.sydney.edu.au/autodiscover/autodiscover.svc</wsa:To>
</soap:Header>
<soap:Body>
<a:GetUserSettingsRequestMessage xmlns:a="http://schemas.microsoft.com/exchange/2010/Autodiscover">
<a:Request>
<a:Users>
<a:User>
<a:Mailbox>[email protected]</a:Mailbox>
</a:User>
</a:Users>
<a:RequestedSettings>
<a:Setting>InternalEwsUrl</a:Setting>
<a:Setting>ExternalEwsUrl</a:Setting>
</a:RequestedSettings>
</a:Request>
</a:GetUserSettingsRequestMessage>
</soap:Body>
</soap:Envelope>
</Trace>
and the response is
<Trace Tag="AutodiscoverResponse" Tid="12" Time="2022-09-20 01:54:41Z">
Autodiscover service call failed with error 'The request failed. The remote server returned an error: (401) Unauthorized.'. Will try legacy service
</Trace>
<Trace Tag="AutodiscoverResponse" Tid="12" Time="2022-09-20 01:54:41Z">
Autodiscover service returned redirection URL 'https://www.sydney.edu.au/autodiscover/autodiscover.xml'.
</Trace>
<Trace Tag="AutodiscoverResponse" Tid="12" Time="2022-09-20 01:54:41Z">
Autodiscover service returned redirection URL 'https://email.sydney.edu.au/autodiscover/autodiscover.xml'.
</Trace>
For the Folder call I get an error of "The token contains not enough scope to make this call".
I have headers of
<Trace Tag="EwsRequestHttpHeaders" Tid="12" Time="2022-09-20 01:55:21Z">
POST /ews/exchange.asmx HTTP/1.1
Content-Type: text/xml; charset=utf-8
Accept: text/xml
User-Agent: ExchangeServicesClient/2.2.1.0
Accept-Encoding: gzip,deflate
Authorization: Bearer eyJ0eXAiOiJKV1QiLCJub25jZSI6ImdXQ2g4b0hiQXRmdUM2bVJUSkh2YWZhdmIwUVRsQTFxbURyeHlaQmpvZ3ciLCJhbGciOiJSUzI1NiIsIng1dCI6IjJaUXBKM1VwYmpBWVhZR2FYRUpsOGxWMFRPSSIsImtpZCI6IjJaUXBKM1VwYmpBWVhZR2FYRUpsOGxWMFRPSSJ9.eyJhdWQiOiJodHRwczovL291dGxvb2sub2ZmaWNlMzY1LmNvbSIsImlzcyI6Imh0dHBzOi8vc3RzLndpbmRvd3MubmV0LzgyYjNlMzdlLTgxNzEtNDg1ZC1iMTBiLTM4ZGFlN2VkMTRhOC8iLCJpYXQiOjE2NjM2Mzg1NTcsIm5iZiI6MTY2MzYzODU1NywiZXhwIjoxNjYzNjQyNDU3LCJhaW8iOiJFMlpnWUZoeW42SEEvTkxQT05XUElVdW1XUXFsQXdBPSIsImFwcF9kaXNwbGF5bmFtZSI6IkVYTy1UUklNU2VydmljZUFjY291bnRzIiwiYXBwaWQiOiIxNWFiNTRmYy04OTk2LTRkZGMtOGY2MS03ZWYxYTMxOTQ3MTMiLCJhcHBpZGFjciI6IjEiLCJpZHAiOiJodHRwczovL3N0cy53aW5kb3dzLm5ldC84MmIzZTM3ZS04MTcxLTQ4NWQtYjEwYi0zOGRhZTdlZDE0YTgvIiwib2lkIjoiYzI2YjM1MTEtZGI4Yy00OWIxLWIzMWMtZDYyN2RmMzdkYzgyIiwicmgiOiIwLkFVRUFmdU96Z25HQlhVaXhDemphNS0wVXFBSUFBQUFBQVBFUHpnQUFBQUFBQUFCQkFBQS4iLCJzaWQiOiJmNjY5NzlkMC0yMmI3LTRhNDYtOTVhYi1hODY0ZWU0NDEwODYiLCJzdWIiOiJjMjZiMzUxMS1kYjhjLTQ5YjEtYjMxYy1kNjI3ZGYzN2RjODIiLCJ0aWQiOiI4MmIzZTM3ZS04MTcxLTQ4NWQtYjEwYi0zOGRhZTdlZDE0YTgiLCJ1dGkiOiJmNUtuX3NUcWxrNnNoMWFUenBRREFBIiwidmVyIjoiMS4wIiwid2lkcyI6WyIwOTk3YTFkMC0wZDFkLTRhY2ItYjQwOC1kNWNhNzMxMjFlOTAiXX0.kl-Hl8HJ19rgeZGGXYaW8FrOOyt9xSuX2GXXERN9TFVkG0wttJacXYDC5fvGnWmQg86ACAPBReiT9zvX7xguNKPJdelhpwACMO4os3mB3GsjVmqqk3mAIXHZ0_75U77ReUEmvH_u1scppUlXnt-aM_yCLALp2NIkyqpE8BV3LTMNwoRsls5ya7M7i0HsIOBoezLScCAFDJy8WEfBi_yJjwOUEQdDLi0NEHs3qU9KA3t9KIDJTt4ZxlieO92mSr5OWJlgLGwFzqlxq-r5-rm1Z1fjDWJAq9IYvkqnB-BP-lpds1HX1LnuAS5_TtPRDAALJfskkwp5KdPj0uq9CKvT6g
</Trace>
A body of:
<Trace Tag="EwsRequest" Tid="12" Time="2022-09-20 01:55:21Z" Version="2.2.1.0">
<?xml version="1.0" encoding="utf-8"?>
<soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:m="http://schemas.microsoft.com/exchange/services/2006/messages" xmlns:t="http://schemas.microsoft.com/exchange/services/2006/types" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
<soap:Header>
<t:RequestServerVersion Version="Exchange2013_SP1" />
<t:ExchangeImpersonation>
<t:ConnectingSID>
<t:SmtpAddress>[email protected]</t:SmtpAddress>
</t:ConnectingSID>
</t:ExchangeImpersonation>
</soap:Header>
<soap:Body>
<m:GetFolder>
<m:FolderShape>
<t:BaseShape>AllProperties</t:BaseShape>
</m:FolderShape>
<m:FolderIds>
<t:DistinguishedFolderId Id="msgfolderroot" />
</m:FolderIds>
</m:GetFolder>
</soap:Body>
</soap:Envelope>
</Trace>
And the response header is:
<Trace Tag="EwsResponseHttpHeaders" Tid="12" Time="2022-09-20 01:55:21Z">
HTTP/1.1 403
request-id: 616ab081-7eca-3eaa-830c-464f02f3b2b1
Alt-Svc: h3=":443",h3-29=":443"
X-CalculatedBETarget: SY4PR01MB6346.ausprd01.PROD.OUTLOOK.COM
X-BackEndHttpStatus: 403
X-RUM-Validated: 1
x-ms-appId: 15ab54fc-8996-4ddc-8f61-7ef1a3194713
Restrict-Access-Confirm: 1
x-ms-diagnostics: 2000008;reason="The token contains not enough scope to make this call.";error_category="invalid_grant"
X-BeSku: WCS6
X-DiagInfo: SY4PR01MB6346
X-BEServer: SY4PR01MB6346
X-Proxy-RoutingCorrectness: 1
X-Proxy-BackendServerStatus: 403
X-FirstHopCafeEFZ: SYD
X-FEProxyInfo: SYBPR01CA0157.AUSPRD01.PROD.OUTLOOK.COM
X-FEEFZInfo: SYD
X-FEServer: SYBPR01CA0157
Content-Length: 0
Cache-Control: private
Content-Type: text/xml; charset=utf-8
Date: Tue, 20 Sep 2022 01:55:20 GMT
Set-Cookie: exchangecookie=ee75b36c72834812b81e7c7cb5ab2a23; expires=Wed, 20-Sep-2023 01:55:21 GMT; path=/; secure; HttpOnly
Server: Microsoft-IIS/10.0
WWW-Authenticate: Bearer client_id="00000002-0000-0ff1-ce00-000000000000", trusted_issuers="00000001-0000-0000-c000-000000000000@*", token_types="app_asserted_user_v1 service_asserted_app_v1", error="invalid_token"
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
</Trace>
Can anyone provide me some direction as to what I am doing wrong or have not configured correctly?
Solution
You can't use the Tokens from the client credentials flow with Autodiscoverv1 (In EWS it requires impersonation which isn't supported in Autodiscover), if all your users are in the cloud then its redundant call that can be removed and you can just use the static well-known office365 ews endpoint "https://outlook.office365.com/ews/exchange.asmx" uri, if you have Hybrid mailboxes and you need to detect if a mailbox is onPrem or in the Cloud I would suggest you use Autodiscoverv2 which is un-authenticated.
With the token that your trying to use in GetFolder it doesn't contain the scope/roles for EWS eg if take you token and decode it with jwt.io it doesn't contain any roles. An example of what you should see is
This most likely means you didn't either add the application permission to the application registration (eg a common mistake it to add the delegate one)"full_access_as_app" or it hasn't been consented to in the tenant.
- OAuth Client Credential Flow - Refresh Tokens
- AADSTS7000218: The request body must contain the following parameter: 'client_assertion' or 'client_secret'
- ServiceStack JWT Refresh token uses Session identifier when used with OAuth AuthProvider
- EXPO AuthSession returns dismiss on Android device
- Is storing an OAuth token in cookies bad practice?
- Firebase credentials as Python environment variables: Could not deserialize key data
- Azure Authenticatication Flow in a Desktop App (WinForms C#)
- Check OAuth Facebook token from iOS client on server/API
- Role based authorization using Keycloak and .NET core
- Amazon Cognito: How to stop getting "redirect_mismatch" error when redirecting from browser to Android app
- How to use SHA256-HMAC in python code?
- Facebook OAuth "The domain of this URL isn't included in the app's domain"
- How get config file values in other config file - Laravel 5
- Snowflake custom OAuth not working with invalid_client error
- How to Locate and Customize the OAuth Implicit Flow Redirect Screen?
- Keycloak - Assign a client scope to user with a specific role
- Implementing a dynamic OAuthBearerServerOptions AccessTokenExpireTimeSpan value from data store
- How to call an OAuth API once I have the access_token and refresh_token
- React App on Azure (Windows) Web App Not Reading Environment Variables for Auth0
- OAuth2 WebApi Token Expiration
- Origin is "not allowed" for given client ID when origin was added
- Angular CORS Error When Following Backend Redirect for OAuth2 Logout
- Magento 1.9 REST API failing with nonce_used error
- OAuth Simple Service Provider
- Procedure for logging into Discord OAuth using PKCE
- Could not deserialize key data on decoding JWT python
- OAuth and redirect_uri in offline Python script
- How can I download a single raw file from a private github repo using the command line?
- oAuth Token Authentication - using same secret key
- Use CakePHP Http Client with Magento2 rest API search criteria