问题
Last week I made a question in here about EWS, where I got the error message saying:
401: Unauthorized - Invalid access token
I managed to resolve this error by using an X.509 certificate instead of client credentials (client id abnd client secret from AAD). Now, with the use of the certificate, I receive a new error message saying:
403: Forbidden - not enough scopes
I believe this has something to do with the permissions in AAD?
I permissions are as follow (only one permission):
Application Permissions: Read and write email from all mailboxes
How I'm receiving the access token:
//Create the certificate file, using the path (certFile), password (certPassword) and the MachineKeySet
X509Certificate2 cert = new X509Certificate2(certFile, certPassword, X509KeyStorageFlags.MachineKeySet);
//Create the ClientAssertionCertificate using the clientID and the actual certificate
ClientAssertionCertificate cac = new ClientAssertionCertificate(clientID, cert);
//Retreive the access token using the serverName and client assertion
authenticationResult = authenticationContext.AcquireToken(serverName, cac);
//authenticationResult = authenticationContext.AcquireToken(serverName, cc);
ExchangeService exchange = new ExchangeService(ExchangeVersion.Exchange2013);
exchange.Url = new Uri(serverName + "ews/exchange.asmx");
exchange.TraceEnabled = true;
exchange.TraceFlags = TraceFlags.All;
exchange.Credentials = new OAuthCredentials(authenticationResult.AccessToken);
When calling the FindItems method like so:
ItemView view = new ItemView(5);
view.PropertySet = new PropertySet(BasePropertySet.IdOnly);
var tempId = id.Replace('-', '/').Replace('_', '+');
SearchFilter.IsEqualTo searchid = new SearchFilter.IsEqualTo(ItemSchema.Id, tempId);
// This results in a FindItem call to EWS.
FindItemsResults<Microsoft.Exchange.WebServices.Data.Item> results = exchange.FindItems(WellKnownFolderName.Inbox, searchid, view);
The error appears.
Could someone explain what could cause this sort of error?
回答1:
Only Office 365 REST APIs support granular access such as "Read and write email from all mailboxes". For EWS, you need the permission "Use Exchange Web Services with full access to all mailboxes". Let us know if you have trouble finding this permission.
回答2:
OAuth flow doesn't assume X509Certificate2 authentication. You should register the multitenant application in your AAD (where Exchange Online is available). 3 following Delegate Permissions are required to access mailbox when you Authenticated via OAuth:
- Read Mail
- Read Calendar
- Access mailboxes as the signed-in user via Exchange Web Services
To grant access to your application user should be redirected to the https://login.microsoftonline.com/common/oauth2/authorize (with corresponding parameters). When the permissions are granted you receive the response with the authorization code which should be exchanged to access/refresh tokens:
ClientCredential credential = new ClientCredential(clientId, appKey);
AuthenticationContext authContext = new AuthenticationContext("https://login.microsoftonline.com/common", false);
var url = new Uri(Request.Url.GetLeftPart(UriPartial.Path));
AuthenticationResult result = authContext.AcquireTokenByAuthorizationCode(
code, url, credential, "https://outlook.office365.com/");
where clientId and appKey - parameters of the registered app, code - is authorization code received from the OAuth response.
来源:https://stackoverflow.com/questions/33302703/ews-error-message-403-forbidden-not-enough-scopes