Mail App : How to Get Token From STS RRS feed

  • Question

  • Hi Guys,

    We are trying to create a Outlook Mail App , it will be querying to the Web Api services /REST which are secured by Passive Authentication. (STS)

    Now the question is , how this scenario is generally achieved?

    How can I get the token from STS and pass it in the authorization header of web service call? or is there any different way to achieve this?

    Any pointers will be really helpful.

    Thanks in advance.

    Bhushan | http://www.passionatetechie.blogspot.com | http://twitter.com/BhushanGawale

    Wednesday, April 17, 2013 12:08 PM

All replies

  • With jQuery you can set request headers like

        url: "/test",
        headers: {"X-Test-Header": "test-value"}

    And to read headers

        complete: function(resp){

    Anze Javornik

    Wednesday, April 17, 2013 8:08 PM
  • Thanks Anze for the reply.

    Yes , I know about how we can pass the values in the request header using jQuery service call , but the question is how to get the SWT token from STS ? once I have the token I can pass it to the service using the way you suggested.

    Any idea about that?

    Bhushan | http://www.passionatetechie.blogspot.com | http://twitter.com/BhushanGawale

    Friday, April 19, 2013 6:52 AM
  • This thread seams to be similar to the problem you are having, so you might want to check if it has any helpful ideas (is also yet unanwsered) http://social.msdn.microsoft.com/Forums/en-US/appsforoffice/thread/129b5185-1434-4405-80d0-69b205cda8d6

    Anze Javornik

    Monday, April 22, 2013 9:00 PM
  • Hi Bhushan,

    Would you please post the code for making the WCF call with SWT token using jQuery? I am trying to make a call from Office excel app to a Azure hosted WCF service secured using ACS. I have tried setting the headers as suggested by Anze with "wrap_name", "wrap_password" and "wrap_scope" but I don't see the response getting me the data I need.




    Tuesday, April 30, 2013 1:32 AM
  • Since this is a cross domain call are you using jsonp or cors? Does the web service support cross domain calls with jsonp or cors?

    If not, then you need to add this support to the web service. If the web service is not under your contorl then write your own web service with jsonp or cors support which will proxy the azure hosted one.

    Anze Javornik

    Thursday, May 2, 2013 8:53 AM
  • I was using jsonp. However after looking up for more details on setting the Authorization header, I see many posts talking about it being not possible to set headers for jsonp, so I started exploring CORS. I do have control over the WCF service and I have made it CORS enabled by following this (http://enable-cors.org/server_wcf.html) link and I set the headers in my ajax call as headers: { 'Authorization': 'WRAP access_token=\"' + token + '\"' }.

    I have used http://msdn.microsoft.com/en-us/library/hh289317.aspx link to secure the WCF service which has a validator(C# class) validating the swt token (I am just replacing the C# console in that post with Office Web Excel App). So when the C# validator tries to read the Authorization header (string headerValue = HttpContext.Current.Request.Headers.Get("Authorization");), the value is empty. On monitoring the request in fiddler, I see the Auth header empty. I do see it under Access-Control-Request-Headers: accept, authorization but I am unable to get the value of the token passed.


    Thursday, May 2, 2013 7:20 PM
  • So the request beeing made by ajax does not contain header Authorization or is it just empty value?

    Anze Javornik

    Thursday, May 2, 2013 8:05 PM
  • No. It does not contain Authorization header. When I look into the fiddler for the outgoing request to WCF call, I see "No Proxy-Authorization Header is present." and "No Authorization Header is present." under the Auth tab. When I have a debug point in C# for line string headerValue = HttpContext.Current.Request.Headers.Get("Authorization"), the value is null there.
    Thursday, May 2, 2013 9:25 PM
  • Can you post javascript code for the ajax call.

    Anze Javornik

    Thursday, May 2, 2013 9:34 PM
  • Here is the ajax call code.

                     type: 'GET',
                     url: '{myUrl}',
                     data: '{}',
                     headers: { 'Authorization': 'WRAP access_token=\"' + token + '\"' },
                     success: function (response) {
                     error: function (err) {
                     complete: function (xhr, status) {
                         onComplete(xhr, status);

    I have also triedthe following ways for setting the header
    1.  headers: {'Authorization': 'WRAP access_token=\"' + token + '\"'}
    2.  beforeSend:  function(xhr) {
                       xhr.setRequestHeader('Authorization', 'WRAP access_token=\"' + token + '\"');}
    3.  $.ajaxSetup({
               headers: { 'Authorization': 'WRAP access_token=\"' + token + '\"' }
    4.  $.ajaxSetup({
               beforeSend: function (xhr) {
                    xhr.setRequestHeader('Authorization', 'WRAP access_token=\"' + token + '\"'); }

    Thursday, May 2, 2013 9:50 PM
  • Thanks guys for your replies on this.

    The problem here is not about making the call and passing the header information , but is about getting the SAML / SWT / JWT token from STS. So is there any way to get token from STS using mail app?

    Bhushan | http://www.passionatetechie.blogspot.com | http://twitter.com/BhushanGawale

    Wednesday, May 8, 2013 5:31 AM
  • The thread i linked, which is also dealing with the same issue, appears to have a link to a server side solution . Can this maybe apply for your problem? Create a web service with code from the link and use it to get the token.

    Anze Javornik

    Wednesday, May 8, 2013 7:14 AM
  • Thanks Anze. That was the approach I tried out to have a WCF service returning me the token. But since it is a WCF service which can be accessed by any one, implementing security becomes a must, so that only the application that you intend to use can get the token.

    Wednesday, May 8, 2013 4:40 PM
  • There are ways to secure it. For example you could use Apps for Office security (the et parameter). If you are using this with app hosted on IIS then you could implement CORS security aswell by allowing calls to the web service only from that domain.

    Anze Javornik

    Wednesday, May 8, 2013 4:53 PM