使用 OAuth 的 Office 365/EWS 身份验证 [英] Office 365 / EWS Authentication using OAuth
问题描述
我正在尝试使用 OAuth 和 EWS 托管 API 登录 Office 365 Exchange Online.
I'm trying to log onto Office 365 Exchange Online using OAuth and EWS Managed API.
我能够使用连接到 Office 365 Web API (REST),因此我确实拥有来自 Active Directory 身份验证库 (ADAL) 的有效令牌.
I am able to use connect to the Office 365 Web API's (REST), so I do have a valid Token from the Active Directory Authentication Library (ADAL).
现在,我正在尝试使用 EWS 和 TokenCredentials 进行连接.
Now, I'm trying to connect using EWS and TokenCredentials.
代码很简单,我认为:
public static ExchangeService ConnectToServiceWithImpersonation(string token)
{
var service = new ExchangeService(ExchangeVersion.Exchange2013_SP1);
if (true)
{
service.TraceListener = new TraceListener();
service.TraceFlags = TraceFlags.All;
service.TraceEnabled = true;
}
var credentials = new TokenCredentials(token);
service.Credentials = credentials;
service.Url = new Uri("https://outlook.office365.com/EWS/Exchange.asmx");
return service;
}
令牌由 ADAL 生成,而 ADAL 又来自使用Office 365 API 工具 - 预览版"的示例代码
The token is generated by ADAL, which in turn is from sample code using the "Office 365 API Tools - Preview"
// Obtain information for communicating with the service:
Office365ServiceInfo serviceInfo = Office365ServiceInfo.GetExchangeServiceInfo();
if (!serviceInfo.HasValidAccessToken)
{
return Redirect(serviceInfo.GetAuthorizationUrl(Request.Url));
}
// Connect to Exchange
var service = ConnectToServiceWithImpersonation(serviceInfo.AccessToken);
Folder inbox = Folder.Bind(service, WellKnownFolderName.Inbox);
在 Folder.Bind 调用中,我收到 401 Unauthorized 错误.EWS Trace 给了我这个:
On the Folder.Bind call, I get a 401 Unauthorized error. EWS Trace gives me this:
2014-04-06 12:06:39.2012 TRACE ExchangeWebServices: EwsResponseHttpHeaders -> <Trace Tag="EwsResponseHttpHeaders" Tid="11" Time="2014-04-06 10:06:39Z">
HTTP/1.1 401 Unauthorized
request-id: 01ba1ca9-2850-480a-9d65-ec55bfef8657
X-CasErrorCode: BadSamlToken
X-FEServer: AMSPR04CA018
Content-Length: 0
Cache-Control: private
Date: Sun, 06 Apr 2014 10:06:39 GMT
Server: Microsoft-IIS/7.5
WWW-Authenticate: Basic Realm=""
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
不幸的是,数小时的谷歌搜索并没有真正帮助,似乎没有关于 EWS 和 OAuth 身份验证的非常具体的信息,而且我不知道如何进一步解决它,所以我希望有人能提供一些建议关于如何让它工作.
Unfortunately, hours of googling did not really help, there does not seem to be very much specific information about EWS and OAuth authentication, and I have no idea how to further troubleshoot it, so I'm hoping that anyone has some advice on how to get it working.
推荐答案
TokenCredentials 不是在此示例中使用的正确类.就像 Jason 提到的因为其他原因而实施的.请注意并澄清使用此令牌和/或 SAML 令牌在带有 EWS 的 Exchange Online 中不起作用.仅支持基于 OAuth 的访问.为了完成这项工作,我们在 EWS 托管 API 中放置了一个 OAuthCredentials 类.在您的代码中,您可以var credentials = new OAuthCredentials(token)".请注意,EWS Soap 仅支持完全user_impersonation"/对用户邮箱的完全访问"权限.Calendar.Read 等粒度权限仅适用于 EWS Rest API.虽然完全邮箱访问"需要管理员同意,但其他租户的管理员可以同意,因为它是一个 Web 应用程序.如果您想开发本机应用程序,则该应用程序必须直接在其运行的租户的应用程序中注册才能使用完全邮箱访问".
TokenCredentials is not the right class to use in this example. Like Jason mentioned put in place for other reasons. As a note and to clarify using this and/or SAML tokens will not work in Exchange Online with EWS. Only OAuth based access is supported. To make this work we put a OAuthCredentials class in EWS Managed API. In your code you can "var credentials = new OAuthCredentials(token)". Be aware that EWS Soap only supports full "user_impersonation" / "full access to the users mailbox" rights. Granular permission such as Calendar.Read are only available with EWS Rest APIs. While "Full mailbox access" requires an admin to consent, admins from other tenants can consent as it is a web app. In case you want to develop a native app, the app has to be directly registered in the app of the tenant it runs in order to use "Full mailbox access".
这篇关于使用 OAuth 的 Office 365/EWS 身份验证的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
