none
[EWS] OAuth with Office365 on Android - invalid token RRS feed

  • Question

  • Hi,

    i am trying to authenticate against Office365 EWS using OAuth. The application is registered on AzureAD.

    I am using OpenId AppAuth https://openid.github.io/AppAuth-Android/

    First step is to request a configuration from https://login.windows.net/common/v2.0/.well-known/openid-configuration which is retrieved successfully.

    I create an AuthRequest using the retrieved configuration, the client-ID, responsetype Code, scope openid, a custom scheme as callback url and a GUID as state.

    This returns the autorization response which i use to perform the token request.

    This in turn returns an accesstoken, i store it and try to call EWS with a httppost using the Header "Authorization" with the value "Bearer "+token.

    The Server returns

    Authentication error: Unable to respond to any of these challenges: 
    {
    	bearer = WWW - Authenticate: Bearer client_id = "00000002-0000-0ff1-ce00-000000000000",
    	trusted_issuers = "00000001-0000-0000-c000-000000000000@*",
    	token_types = "app_asserted_user_v1 service_asserted_app_v1",
    	authorization_uri = "https://login.windows.net/common/oauth2/authorize",
    	error = "invalid_token",
    	Basic Realm = "",
    	Basic Realm = ""
    }

    I have analyzed the token using jwt.io, i have replaced names etc with xxx

    {
    	"aud": "00000003-0000-0000-c000-000000000000",
    	"iss": "https://sts.windows.net/60db4d92-f407-4363-bc0f-de3220579986/",
    	"iat": 1542205360,
    	"nbf": 1542205360,
    	"exp": 1542209260,
    	"acct": 0,
    	"acr": "1",
    	"aio": "ASQA2/8JAAAAHLUth0oNkPDpy+jZYWEyxx30fw9rYQJET7Kw25Wk6to=",
    	"amr": [
    		"pwd"
    	],
    	"app_displayname": "xxx",
    	"appid": "xxx",
    	"appidacr": "0",
    	"family_name": "xxx",
    	"given_name": "xxx",
    	"ipaddr": "xxx",
    	"name": "xxx",
    	"oid": "d0ebb686-52d3-4cc6-b03c-33b846b8e7c3",
    	"onprem_sid": "S-1-5-21-4200451325-1002541976-2973016800-1620",
    	"platf": "1",
    	"puid": "10037FFEABDCD22B",
    	"scp": "Calendars.Read Calendars.Read.All Calendars.Read.Shared Calendars.ReadWrite Calendars.ReadWrite.All Calendars.ReadWrite.Shared Contacts.Read Contacts.Read.All Contacts.Read.Shared Contacts.ReadWrite Contacts.ReadWrite.All Contacts.ReadWrite.Shared EAS.AccessAsUser.All Exchange.Manage full_access_as_user Group.Read.All Group.ReadWrite.All Mail.Read Mail.Read.All Mail.Read.Shared Mail.ReadWrite Mail.ReadWrite.All Mail.ReadWrite.Shared Mail.Send Mail.Send.All Mail.Send.Shared MailboxSettings.Read MailboxSettings.ReadWrite People.Read People.ReadWrite Tasks.Read Tasks.Read.Shared Tasks.ReadWrite Tasks.ReadWrite.Shared User.Read User.ReadBasic.All User.ReadWrite profile openid email",
    	"signin_state": [
    		"kmsi"
    	],
    	"sub": "PsPWDWDcWOXZkxBcoOB1rHy8s0B3FxeBZBWw0Sj5-mM",
    	"tid": "60db4d92-f407-4363-bc0f-de3220579986",
    	"unique_name": "xxx",
    	"upn": "xxx",
    	"uti": "NkmQfyGeCUSDfpXY3f8kAA",
    	"ver": "1.0",
    	"xms_st": {
    		"sub": "sAqaX7W-uJwqV7s47OjRR4HyIf6vO6udg3tDvAekv3U"
    	},
    	"xms_tcdt": 1398627050
    }


    According to https://blogs.msdn.microsoft.com/exchangedev/2014/03/25/using-oauth2-to-access-calendar-contact-and-mail-api-in-office-365-exchange-online/ a resource Parameter is needed, but when i tried that the Server returns that this is not supported, so i guess the article is outdated.

    Edit:

    In related thread i have found the Suggestion to try EWSEditor and i am indeed able to authenticate EWSEditor using my Client_id and redirecturl. I see that it has an additional field "Server Name".

    When i extract the token used by EWSEditor and check it on jwt.io i see that the "aud" value is mapped to "https://outlook.office365.com" while the one from my app above has a guid value or the like. The only other difference seems to be an empty enfpolids value.

    How do i add the "Server Name" value to my request?

    Edit2: If i try to leave the "Server Name" field empty in EWSEditor it prompts an error that the "resource" Parameter cannot be empty. Here a screenshot from my Simulator when I add the Parameter: https://i.imgur.com/bKC7JcI.png

    • Edited by Simon Hain Wednesday, November 14, 2018 4:34 PM
    Wednesday, November 14, 2018 2:58 PM

All replies

  • 00000003-0000-0000-c000-000000000000 is the GUID for the Microsoft Graph. You should be using "https://outlook.office365.com" when requesting the token, not the Graph endpoints. You do have an app registered with permissions for Exchange Online, right?
    Wednesday, November 14, 2018 6:52 PM
  • You seem to confusing the Azure v1 and v2 Authentication endpoints https://docs.microsoft.com/en-us/azure/active-directory/develop/azure-ad-endpoint-comparison eg in the beginning your referring to V2 which means you would have to use a scope https://outlook.office365.com/EWS.AccessAsUser.All rather then a resourceURI then you talk about EWSEditor which uses the V1 endpoint so will use resourceURI. But the first thing you need to confirm is how you did the application registration as a V2 application won't work against a V1 endpoint and vice versa eg for v2 I would suggest using the portal preview https://docs.microsoft.com/en-us/azure/active-directory/develop/quickstart-register-app

    Cheers
    Glen

    Thursday, November 15, 2018 1:05 AM
  • Thanks for the quick answers, i was indeed unaware of the difference between v1 and v2 authentication endpoints and EWSEditor using the first, i think we registered our app as v2.

    When i set the scope to https://outlook.office365.com/EWS.AccessAsUser.All i get an invalid_client error:
    The application asked for scope 'EWS.AccessAsUser.All' that doesn't exist on the resource

    Edit:

    I have found out that i can create my own app in Azure (portal.azure.com) without our Administrator. I added the API permission 'EWS.AccessAsUser.All' as below, but still get an error.

    {"type":1,"code":1008,"error":"invalid_client","errorDescription":"AADSTS65005: The application 'TestApp' asked for scope 'EWS.AccessAsUser.All' that doesn't exist on the resource. Contact the app vendor.\r\nTrace ID: 44b7f020-bcd8-4416-8e93-63ea43664600\r\nCorrelation ID: 7cd869af-1c35-45ef-af7f-cbd037220ce5\r\nTimestamp: 2018-11-15 09:36:18Z"}


    Edit2:

    I have succeeded using the v1 endpoint (yay!). When i click on "Endpoints" in AzureAD there is a list of v1 and v2 endpoints. I still don't understand why i cannot use the v2 endpoint returned by the OpenID Connect metadata document though.

    • Edited by Simon Hain Thursday, November 15, 2018 10:03 AM
    Thursday, November 15, 2018 9:05 AM