none
Javascript Add-in get token from C# MVC Web API through AAD RRS feed

  • Question

  • Hello forum!

    I'm currently working on an Add-in for Outlook and came across this issue that I'm not sure how to solve.

    Structure

    I've made two instances in Azure Active Directory. One for my MVC Web API, and one for my Javascript Add-in. Within the Web API controller, I've put the filter [Authorize], as this is what most working examples does. I understand that this filter makes sure that you're logged into Office365 for it to work.

    I've published my MVC Web API to IIS on my local machine. Through the Javascript, I'm simply making an AJAX call to my service, like so:

    $.ajax({
        url: "https://localhost:30303/api/mail/SomeMethod",
        type: "POST",
        contentType: "application/json",
        data: JSON.stringify({
            'MailId': item.Id,
            'SpListGuid': guid
        }),
        headers: {
            'Authorization': 'Bearer ' + token
        }
    }).done(function(){
        //DO SOMETHING
    }).error(function(err){
        console.log(err);
    })

    The variables are defined elsewhere. The guid variable is simply the GUID of a Sharepoint list. The item.Id is the ID of the mail chosen within Outlook. The token is retrieved in a whole other way.

    Here's how I get the token (Note: the token is now retrieved with an AJAX call, but simply by using the token that the user has been issued when logging into Outlook. I'm not sure whether this token can be used or not, but architecture wise, this is where I believe that I need to get a valid token for the MVC Web API, and NOT use the one issued from Outlook?)

    var token = "";
    
    Office.context.mailbox.getUserIdentityTokenAsync(function(result){
        token = result.value;
    });

    Issue

    I am hitting the MVC Web API, just to make that clear, but I am getting an error though. If I take a look into my console of Google Chrome, I see the following error:

    Authorization has been denied for this request

    The access token IS placed inside the "Authorization" header, and the preflight HttpOptions request succeds.

    I believe this is because the token isn't valid for the MVC Web API? Could anyone give some heads up on this issue, and eventually explain to me exactly what needs to been done in this situation? Do I even need the [Authorize] filter on my controller? Why, or why not?

    Appreciate any answers. Thank you.


    Monday, November 16, 2015 8:27 AM

All replies

  • Hi ChristianHaase,

    >> I'm not sure whether this token can be used or not
    What do you want to use with this token? Did you want to use this token to authenticate the user for login MVC web project or you want this token to call web service in MVC web api method?

    >> I believe this is because the token isn't valid for the MVC Web API?
    Could you share us more information about the token and your MVC web API? I am not sure how you use the token with MVC Web api.

    In my option, you could refer the link below for information about using token to call web service.

    # Call a service from an Outlook add-in by using an identity token in Exchange
    https://msdn.microsoft.com/en-us/library/office/fp179806.aspx

    You could refer the link below for information about using token to authenticate the user.
    # Using OAuth2 to access Calendar, Contact and Mail API in Office 365 Exchange Online
    http://blogs.msdn.com/b/exchangedev/archive/2014/03/25/using-oauth2-to-access-calendar-contact-and-mail-api-in-exchange-online-in-office-365.aspx

    Best Regards,

    Edward


    We are trying to better understand customer views on social support experience, so your participation in this interview project would be greatly appreciated if you have time. Thanks for helping make community forums a great place.
    Click HERE to participate the survey.


    Tuesday, November 17, 2015 6:36 AM
  • Hello Edward.

    Thank you for your respons to this question.

    >> What do you want to use with this token?

    I want my Javscript Outlook Add-in to be able to call my MVC Web API, without getting an error. Currently I'm getting: Authorization has been denied for this request.

    >> Could you share us more information about the token and your MVC Web API? I am not sure how you use the token with MVC Web api.

    I'd love to share more about the token, but the problem is that I'm still fairly new to Office 365 development (this is my first project, and my final project for my Computer Science education). So I can't really share more, as I'm in doubt about the token, and how to contact the MVC Web API from the Javascript.

    I'm currently looking into the identity token that you have provided. I'll make sure to update you on my progress.

    Tuesday, November 17, 2015 7:18 AM
  • UPDATE:

    I went ahead and removed the [Authorize] filter.

    I've managed to get the identity token like so from my Javascript Addin:

    Office.context.mailbox.getUserIdentityTokenAsync(function (result) {
                    var token = result.value;
    
                    //The ajax call to the service
                    $.ajax({
                        type: "POST",
                        url: url,
                        data: JSON.stringify({
                            'UserEmail': Office.context.mailbox.userProfile.emailAddress,
                            'MailId': item.itemId,
                            'SpListGuid': guid
                        }),
                        headers: {
                            "Authorization": "Bearer " + token,
                            "WorkPoint365Url": baseEndpoint
                        },
                        contentType: "application/json"
                    }).done(function () {
                        console.log("Successfully hit the service");
                    }).error(function (err) {
                        console.log("Error hitting the service");
                        console.log(err);
                    })
                })

    Now I'm just getting the following error from my service:

    AADSTS70002: Error validating credentials. AADSTS50013: Assertion audience claim does not match the required value.

    Tuesday, November 17, 2015 1:08 PM
  • Hi ChristianHaase,

    Based on your later thread, it seems everything is working. Did this issue be resolved? If this issue has been resolved, it would be appreciated if you could share us your solution. If not, please feel free to let me know, and I will try to involve some senior engineers into this issue.

    Thanks for your understanding.

    Best Regards,

    Edward


    We are trying to better understand customer views on social support experience, so your participation in this interview project would be greatly appreciated if you have time. Thanks for helping make community forums a great place.
    Click HERE to participate the survey.


    Wednesday, November 25, 2015 5:25 AM
  • Hello Edward and future readers.

    I did manage to resolve my issue, though I'm not sure this is the correct way to do it. The detailed solution can be found in this threat:

    Getting user assertion with access token from frontend

    Edward: Could you answer me if this is the correct solution to this issue? Or is there other better solutions?

    Friday, November 27, 2015 8:13 AM