php-ews icon indicating copy to clipboard operation
php-ews copied to clipboard

Published 20 hours ago verified publisher icon jamesiarmes

Is There a Way to Request an Access Token?

Open chodges opened this issue 8 years ago • 12 comments

Hello:

I've been reading a ton of the questions/answers and I still can't determine 100% whether I can login my user (by using their email/password) and request an access token that I can use for subsequent requests and sessions.

I don't want to and its not good practice by any stretch to store the users' usernames and passwords in my system.

I've used the Office 365 REST API and have been able to request the access token and use it. I'm just trying to duplicate this with the Exchange API.

If it helps here is the scope of what I'm trying to do: I have a web-app that needs to be read/write things to the users' calendar and so what I would like to allow the user to authenticate using their username/password with my app receiving the access token that can be used for future queries.

Thanks for your help.

chodges avatar Nov 29 '16 00:11 chodges

This library doesn't currently support this method of authentication, as it's only available with Exchange Online. I'm would be open to any submitted patches, but I do not have this on my radar at this time.

jamesiarmes avatar Nov 29 '16 05:11 jamesiarmes

Okay understood. I guess I'm just trying to figure out how other people do this then? I surely hope they're not storing people's email addresses and passwords or forcing them to login each and every time they open an app.

chodges avatar Nov 29 '16 06:11 chodges

Hi @chodges

May I suggest you try my own ews library, garethp/php-ews, which does in fact come with support for fetching an access token and using that as authentication

Garethp avatar Nov 29 '16 09:11 Garethp

Hi @Garethp

Thanks yes I know of your library and I took a look at it. I think the problem that I'm facing is I'm attempting to connect to a hosted Exchange server that just does not have the token access method available.

chodges avatar Nov 29 '16 17:11 chodges

Hm... Is it the latest exchange version? What version are you running? And is your authentication maybe backed by Azure?

Garethp avatar Nov 29 '16 19:11 Garethp

HI @Garethp

I'm not sure which version of exchange it is. I'm building a custom CRM that needs to connect to people's Outlook to add/edit calendar events. So in reality I'm not going to always know which version of Exchange it is that they are running or if its backed by Azure.

I do know that this a third-party Exchange server running on their IT company's infrastructure so its not a direct Microsoft hosted account.

chodges avatar Nov 29 '16 20:11 chodges

Then unfortunately it's not possible. OAuth is the only token-based authentication that Exchange Provides, and that's only available when the authentication is backed by Azure Directory Services. Exchange does also provide NTLM Authentication, so that people who are already logged in to their domain account don't have to log in again, but I've been struggling to find a way to make this work in PHP.

Your best option may either be to have the user give their password with each login, or have a master account that has impersonation rights, and store the password for that account in a secure manner

Garethp avatar Nov 30 '16 10:11 Garethp

@Garethp I wouldn't have a problem using another technology (e.g. Javascript) to enable the user to log in and then grab the token but I haven't come across a way to do even that. I can always send the token over to the server for safe keeping.

chodges avatar Nov 30 '16 15:11 chodges

Created a feature request at jamesiarmes/php-ntlm#2 for this.

jamesiarmes avatar Dec 27 '16 18:12 jamesiarmes

@Garethp & @chodges , I have did some small changes in your ExchangeWebServicesAuth.php's fromUsernameAndPassword function as below. It worked as expected from my locahost but i am yet to check in production server.

replace the existing return statement with below one.

    return array(
        'curl' => array(
            CURLOPT_HTTPAUTH => CURLAUTH_NTLM,
            CURLOPT_UNRESTRICTED_AUTH => true,
            CURLOPT_USERPWD => ":"
        )
    );

I have also changed the Mail API::withUsernameAndPassword parameter as below.

$server = 'xxx.bbb.com' $username = ''; $password = '';

$api = MailAPI::withUsernameAndPassword($server, $username, $password);

I was able to see the sent mail in my actual display name. I think the empty ":" parameter for CURLOPT_USERPWD has taken the current user.

Reference Link: https://stackoverflow.com/questions/23522503/can-i-bypass-the-username-pw-using-curl-with-iis-windows-authentication-in-php

kiranraj5225 avatar May 25 '18 22:05 kiranraj5225

@Garethp have you considered merging your improvements back into @jamesiarmes's repo? There is another fork that also has OAuth support: https://github.com/barracudanetworks/php-ews. I am trying to figure out if it is worth trying to rebase that repo and create a PR.

ablyler avatar Aug 02 '18 18:08 ablyler

@ablyler I had a PR open at the beginning, but at that point James was busy with other things. In the end our projects grew too far apart to really merge in. We discussed it, but our libraries are trying to solve separate problems and achieve separate goals. At this point my library won't be easily merged in.

I can't really comment on whether or not it would be worth it for you to change what repo you're using

Garethp avatar Aug 03 '18 11:08 Garethp