401尝试从EWS托管API发送电子邮件时未经授权 [英] 401 Unauthorized when trying to send emails from EWS Managed API

问题描述

好，所以我正在开发一个插件，该插件必须自动将电子邮件发送给其他人.我知道office-js无权这样做，并且我已经开始使用EWS托管API.我已经实现了SSO令牌，并且获得了:

Ok so I am developing an addin which must automatically send emails to others. I know that office-js does not have permissions to do so and I have started using EWS Managed API. I have implemented SSO token and I get it with:

Office.context.auth.getAccessTokenAsync()

获得令牌后，我将对拥有EWS托管API的服务器进行请求调用，并尝试发送包含以下代码的电子邮件:

After I get the token I make a request call to my server where I have my EWS Managed API and try to send an email with the folowing code:

ExchangeService exService = new ExchangeService();
exService.Url = new Uri(ewsUrl);
ExchangeCredentials credentials = new OAuthCredentials(ssoToken);
exService.Credentials = credentials;
EmailMessage emailMessage = new EmailMessage(exService);

当我呼叫emailMessage.SendAndSaveCopy();时，它会引发401错误.

When I call emailMessage.SendAndSaveCopy(); it throws 401 Error.

如果我确实使用WebCredentials(user, pass)而不是OAuthCredentials(ssoToken)，它将起作用.我不明白为什么(我在Azure Portal上也设置了权限)

If I do use WebCredentials(user, pass) instead of OAuthCredentials(ssoToken) it does work. I do not understand why (I also have set permissions on Azure Portal)

推荐答案

融合应用与旧版注册

您必须通过 https://创建的必须创建的SSO(单点登录)应用程序apps.dev.microsoft.com .在此处创建融合应用程序-允许被许可方使用其Outlook.com帐户或组织帐户(较新的方式)登录.

Converged apps vs Old registrations

The SSO (Single Sign on) app that you had to create, needed to be created through https://apps.dev.microsoft.com. This was where you create the converged apps - which allows the consented parties to sign-in with their Outlook.com accounts or the organizational accounts (which is the newer way).

但是EWS没有使用它. EWS使用的是较早的创建应用程序的身份验证方法，这是您需要通过Azure门户-通过AAD应用程序注册进行的操作.有关EWS身份验证的更多文档，请参见: https://docs.microsoft.com/zh-cn/exchange/client-developer/exchange-web-services/authentication-and-ews-in-exchange

However EWS is not using this. EWS is using the authentication method of older way of creating apps, which is what you need to do through Azure Portal - through AAD App registrations. More documentation on authentication of EWS here: https://docs.microsoft.com/en-us/exchange/client-developer/exchange-web-services/authentication-and-ews-in-exchange

因此，基本上，您检索到的OAuth访问令牌可用于查询Microsoft Graph(作为示例)，但是您不能使用它来调用EWS.

So basically, the OAuth access token which you've retrieved can be used to query Microsoft Graph (as an example) but you can't use that to call EWS.

此创建的一个非常重要的区别是EWS(顾名思义，Exchange Web Services)仅是组织帐户.您不能为Outlook.com用户使用该API.

One very significant difference this creates is EWS is (as the name suggests, Exchange Web Services) is organizational accounts only. You can't use that API for the Outlook.com users.

• 如果您使用的是SSO框架，那么您将被锁定为新的应用程序注册方式.您可以从Outlook.com/或组织帐户对用户进行身份验证.您可以访问Microsoft Graph和其他类似资源-但不能访问EWS.
• 如果要使用EWS，则无法对Outlook.com用户进行身份验证.而且您无法获得可以通过SSO调用EWS的令牌.

• If you're using SSO framework, you are locked to the new way of app registrations. You can authenticate users from Outlook.com / or organizational accounts. You can access Microsoft Graph and other similar sources - but not EWS.
• If you want to use EWS - you can't authenticate Outlook.com users. And you can't get the token which you can call EWS through SSO.

• 使用您检索的访问令牌(如果您请求正确的作用域)，您仍然可以发送邮件-并且您的解决方案也可以与Outlook.com用户一起使用.检查图形API: https://docs.microsoft.com/zh-cn/graph/api/resources/mail-api-overview?view=graph-rest-1.0
• 如果您坚持使用EWS，则可以放弃访问令牌调用并使用makeEwsRequestAsync方法.这将要求您使用JavaScript编写SOAP，但是它可以工作.
• 如果您不喜欢JS中的SOAP(我完全理解)的想法，但仍然想通过C#代码使用EWS，则应该放弃使用SSO框架.而是使用OAuth通过Dialog API通过Dialog API对用户进行身份验证，以对您的AAD应用进行注册(不是融合模型，而是通过Azure门户进行注册)

• With the access token that you retrieve (if you request the correct scopes) you can still send mail - and your solution would also work with Outlook.com users. Check the Graph API: https://docs.microsoft.com/en-us/graph/api/resources/mail-api-overview?view=graph-rest-1.0
• If you insist on using EWS, you can drop the access token call and use the makeEwsRequestAsync method. This will require you to write SOAP in javascript but it works.
• If you dislike the idea of SOAP in JS (which I completely understand) and still want to use EWS through your C# code, you should drop using the SSO framework. Instead authenticate the user through the Dialog API using OAuth against your AAD App registration (Not the converged model, but registration through the Azure Portal)

这篇关于401尝试从EWS托管API发送电子邮件时未经授权的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！