使用OAuth的Office 365 / EWS认证 [英] Office 365 / EWS Authentication using OAuth

问题描述

我试图登录到办公室365 Exchange Online的使用OAuth和EWS托管API。

I'm trying to log onto Office 365 Exchange Online using OAuth and EWS Managed API.

我能够使用连接到Office 365网站的API（REST ），所以我必须从Active Directory认证库（ADAL）有效的令牌。

I am able to use connect to the Office 365 Web API's (REST), so I do have a valid Token from the Active Directory Authentication Library (ADAL).

现在，我尝试使用EWS和TokenCredentials连接。

Now, I'm trying to connect using EWS and TokenCredentials.

中的代码是很容易的，我想：

The code is pretty easy, I think:

public static ExchangeService ConnectToServiceWithImpersonation(string token)
{
    var service = new ExchangeService(ExchangeVersion.Exchange2013_SP1);

    if (true)
    {
        service.TraceListener = new TraceListener();
        service.TraceFlags = TraceFlags.All;
        service.TraceEnabled = true;
    }

    var credentials = new TokenCredentials(token);

    service.Credentials = credentials;

    service.Url = new Uri("https://outlook.office365.com/EWS/Exchange.asmx");
    return service;
}

令牌是由ADAL，这反过来使用是示例代码生成Office 365的API工具 - 预览

The token is generated by ADAL, which in turn is from sample code using the "Office 365 API Tools - Preview"

// Obtain information for communicating with the service:
Office365ServiceInfo serviceInfo = Office365ServiceInfo.GetExchangeServiceInfo();
if (!serviceInfo.HasValidAccessToken)
{
    return Redirect(serviceInfo.GetAuthorizationUrl(Request.Url));
}

// Connect to Exchange
var service = ConnectToServiceWithImpersonation(serviceInfo.AccessToken);

Folder inbox = Folder.Bind(service, WellKnownFolderName.Inbox);

在Folder.Bind电话，我得到一个401未经授权错误。 EWS跟踪给了我这样的：

On the Folder.Bind call, I get a 401 Unauthorized error. EWS Trace gives me this:

2014-04-06 12:06:39.2012 TRACE ExchangeWebServices: EwsResponseHttpHeaders -> <Trace Tag="EwsResponseHttpHeaders" Tid="11" Time="2014-04-06 10:06:39Z">
HTTP/1.1 401 Unauthorized
request-id: 01ba1ca9-2850-480a-9d65-ec55bfef8657
X-CasErrorCode: BadSamlToken
X-FEServer: AMSPR04CA018
Content-Length: 0
Cache-Control: private
Date: Sun, 06 Apr 2014 10:06:39 GMT
Server: Microsoft-IIS/7.5
WWW-Authenticate: Basic Realm=""
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET

不幸的是，谷歌搜索并没有真正帮助小时，似乎没有被有关EWS和OAuth认证非常多的具体信息，我不知道如何进一步解决它，所以我希望任何人对如何得到它的工作一些建议。

Unfortunately, hours of googling did not really help, there does not seem to be very much specific information about EWS and OAuth authentication, and I have no idea how to further troubleshoot it, so I'm hoping that anyone has some advice on how to get it working.

推荐答案

TokenCredentials是不是在这个例子中使用正确的类。像贾森提到到位，其他原因。作为一个说明和使用这种和/或SAML令牌不会在Exchange Online中与EWS合作，以澄清。仅支持基于OAuth访问。为了使这项工作我们把EWS一OAuthCredentials类托管API。在你的代码可以在无功证书=新OAuthCredentials（标记）。请注意，EWS肥皂仅支持完全user_impersonation/完全访问用户邮箱的权利。如Calendar.Read颗粒许可仅可用于EWS休息的API。而完全邮箱访问需要一个管理员同意，从其他租户管理员可以同意，因为它是一个Web应用程序。如果你想开发一个本机应用程序，应用程序必须直接在上面注册，才能使用完全邮箱访问运行租客的应用程序。

TokenCredentials is not the right class to use in this example. Like Jason mentioned put in place for other reasons. As a note and to clarify using this and/or SAML tokens will not work in Exchange Online with EWS. Only OAuth based access is supported. To make this work we put a OAuthCredentials class in EWS Managed API. In your code you can "var credentials = new OAuthCredentials(token)". Be aware that EWS Soap only supports full "user_impersonation" / "full access to the users mailbox" rights. Granular permission such as Calendar.Read are only available with EWS Rest APIs. While "Full mailbox access" requires an admin to consent, admins from other tenants can consent as it is a web app. In case you want to develop a native app, the app has to be directly registered in the app of the tenant it runs in order to use "Full mailbox access".

这篇关于使用OAuth的Office 365 / EWS认证的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！