attaching ws-security tokens (issued by microsoft online federation gateway) to API calls RRS feed

  • Question

  • shows how my thick client gets an access token - for use at an Exchange Online tenant. The process is largely identical to what typical library calls do. Of most importance is the fact that the token issued by the Online gateway is suitably prepped with the proof keys/tokens required to pass the API guards.

    Using the Exchange Managed API classes, how to I attach these tokens so the SOAP requests minted by the library use them as the (api) credentials?

    I note

    Can I just assign an instance to the ExchangeSErvice credentials property?

    When constructing it, and supplying the string form of the security token, does it expect a serialized GenericXMLSEcurity (security)token or a string-encoding of the XML of a specific assertion class/token (such as SAML1.1 assertion)?

    Sunday, July 21, 2013 12:16 AM

All replies

  • I managed to make things work, as discussed at

    basically, I have my WCF client to an OAUTH handshake (firing up  IE to complete that web page and ws-fedp style experience). The IDP releases both JSON and SAML assertions to the client (as it completes the OAUTH auth code grant handshake). The XAML process is now free to use the Exchange Managed API (to do mailbox things, using the customer's  Office 365 subscription). Using the bearer (XML) token obtained via OAUTH, I could exchange this by using the Microsoft online STS to get a token usable at the API's /wssecurity endpoint.

    Why this is not properly documented and widely used... I don't know. Surely, ANY one writing a thick client that is intended for enterprise use will, these days, want to integrat with the customer's Office 365 backend. And this means using the Exchange and SharePoint APIs!

    Monday, July 22, 2013 4:26 AM