ews-managed-api icon indicating copy to clipboard operation
ews-managed-api copied to clipboard

Published 20 hours ago verified publisher icon OfficeDev

InstallApp fails only with OAuth (Http 403)

Open ghost opened this issue 5 years ago • 4 comments

We have converted our application from using basic authentication to using OAuth. Everything is working fine, with the exception of InstallApp that should install our office addin to the users account. Even UnInstallApp works just fine with OAuth.

The exact same code works, if we switch from OAuth to Basic auth.

Request (replaced sensitive information with [...])

POST https://outlook.office365.com/ews/exchange.asmx HTTP/1.1
Content-Type: text/xml; charset=utf-8
Accept: text/xml
User-Agent: ExchangeServicesClient/15.00.0913.016
Accept-Encoding: gzip,deflate
X-AnchorMailbox: […]
Authorization: Bearer […]
Host: outlook.office365.com
Request-Id: |a4757b218bcffc4ebc55ff4fe285f8ed.7664445d_1.
Content-Length: 3478
Expect: 100-continue

<?xml version="1.0" encoding="utf-8"?>
<soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:m="http://schemas.microsoft.com/exchange/services/2006/messages" xmlns:t="http://schemas.microsoft.com/exchange/services/2006/types" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
  <soap:Header>
    <t:RequestServerVersion Version="Exchange2015" />
    <t:DateTimePrecision>Milliseconds</t:DateTimePrecision>
    <t:ExchangeImpersonation>
      <t:ConnectingSID>
        <t:SmtpAddress>[…] </t:SmtpAddress>
      </t:ConnectingSID>
    </t:ExchangeImpersonation>
  </soap:Header>
  <soap:Body>
    <m:InstallApp>
      <m:Manifest>[…]</m:Manifest>
    </m:InstallApp>
  </soap:Body>
</soap:Envelope>

Response

HTTP/1.1 403 Forbidden
Cache-Control: private
Server: Microsoft-IIS/10.0
request-id: 17319ceb-2449-42c4-9664-f42a0db1a0e6
X-CalculatedBETarget: HE1PR0302MB2620.eurprd03.prod.outlook.com
X-BackEndHttpStatus: 403
Set-Cookie: exchangecookie=14486433c0534867b71e9fc140b05abc; expires=Fri, 22-Nov-2019 14:14:45 GMT; path=/; HttpOnly
X-RUM-Validated: 1
x-ms-appId: […]
X-AspNet-Version: 4.0.30319
X-BeSku: Gen9
X-DiagInfo: HE1PR0302MB2620
X-BEServer: HE1PR0302MB2620
X-Powered-By: ASP.NET
X-FEServer: HE1PR06CA0152
Date: Thu, 22 Nov 2018 14:14:45 GMT
Content-Length: 0

@davster Can you confirm if there is an issue on your end?

ghost avatar Nov 23 '18 07:11 ghost

@JTvermose Did you figure this out? Having a similar issue for our app.

dsanghan avatar Jun 13 '19 08:06 dsanghan

@dsanghan No :-(

ghost avatar Jun 25 '19 04:06 ghost

@dsanghan

We eventually solved it by using the Behalf-of-Flow, which requires additional permissions to the Azure app and that the user signs in with their account and grants us permission. https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-on-behalf-of-flow

ghost avatar Jul 01 '19 05:07 ghost

@JTvermose Ok thanks, I'll try that out. Pretty frustrating when things don't work according to spec.

dsanghan avatar Jul 03 '19 12:07 dsanghan