Office365 EWS API : The token has invalid value 'roles' for the claim type ''

柔情痞子 提交于 2019-12-12 03:49:30

问题


I'm trying to access the Office365 REST API using OAuth2: http://msdn.microsoft.com/en-US/library/office/dn605901.aspx

I followed all the steps described here: http://blogs.msdn.com/b/exchangedev/archive/2014/03/25/using-oauth2-to-access-calendar-contact-and-mail-api-in-exchange-online-in-office-365.aspx

I have an OAuth2 token for resource "https://outlook.office365.com/" but when I try to access the API I get the following error:

"The token has invalid value 'roles' for the claim type ''."

I successfully manage to access Windows Azure AD "Graph" API using the same logic and I haven't seen anything related to a "claim" anywhere in the doc. Am I missing something ?

So far I have tried to add or remove the prompt=admin_consent from the authorization uri, which triggers the proper dialog from microsoft but that doesn't change anything.

I'm sending request to following endpoint:

https://outlook.office365.com/EWS/OData/Me/Inbox/Messages

And this is the raw response:

HTTP/1.1 401 Unauthorized
Cache-Control: private
Server: Microsoft-IIS/8.0
request-id: b5b3df59-c23d-4a47-83b7-79c2f7ed6211
Set-Cookie: ClientId=OGLQDFMY0KPSRZSMJBA; expires=Fri, 07-Aug-2015 14:00:33 GMT; path=/; HttpOnly
X-CalculatedBETarget: dm2pr0701mb1216.namprd07.prod.outlook.com
x-ms-diagnostics: 2000001;reason="The token has invalid value 'roles' for the claim type ''.";error_category="invalid_token"
X-DiagInfo: DM2PR0701MB1216
X-BEServer: DM2PR0701MB1216
X-AspNet-Version: 4.0.30319
Set-Cookie: exchangecookie=17695b411d96429b9a2e2db37905b856; expires=Fri, 07-Aug-2015 14:00:35 GMT; path=/; HttpOnly
Set-Cookie: X-BackEndCookie=OrganizationAnchor@cleverage.onmicrosoft.com=u56Lnp2ejJqBnZqdm8zIm8bSzMnNyNLLz52a0sfGx8zSy8nHm53Myc+anMqcgZyTmomajZ6YmtGQkZKWnI2QjJCZi9GckJKBzc/Oy9LPxtLPyavOy8XPz8XMyg==; expires=Sat, 06-Sep-2014 14:00:35 GMT; path=/EWS; secure; HttpOnly
X-Powered-By: ASP.NET
X-FEServer: AMSPR02CA0019
WWW-Authenticate: Bearer client_id="00000002-0000-0ff1-ce00-000000000000", trusted_issuers="00000001-0000-0000-c000-000000000000@*", authorization_uri="https://login.windows.net/common/oauth2/authorize", error="invalid_token",Basic Realm="",Basic Realm=""
Date: Thu, 07 Aug 2014 14:00:34 GMT
Connection: close
Content-Length: 0

Just for your information, I'm developing a Symfony2 app using the "lusitanian/oauth" library for OAuth with a few tweaks to connect to Azure AD.

I will be very grateful with any help one can provide :)

[EDIT]

The API works fine with Basic HTTP Auth by the way, but it would forces me to store all the user's passwords in clear text in my database which is quite horrible.

The delegated permissions for Office 365 Exchange Online in the Azure backend are set to 3 (read contacts, calendar and mails)


回答1:


Thanks a lot for your answer, the permissions for both Exchange and Sharepoint are set to list and read in the Azure backend so it should be ok...

I decoded the token and got that:

{
 "typ": "JWT",
 "alg": "RS256",
 "x5t": "kriMPdmBvx68skT8-mPAB3BseeA"
}.
{
 "aud": "https://outlook.office365.com/",
 "iss": "https://sts.windows.net/<tenant>/",
 "iat": 1407766971,
 "nbf": 1407766971,
 "exp": 1407770871,
 "ver": "1.0",
 "tid": "<tenant>",
 "oid": "996481f3-9769-4e02-ab1c-8c4c006da659",
 "sub": "996481f3-9769-4e02-ab1c-8c4c006da659",
 "idp": "https://sts.windows.net/<tenant>/",
 "appid": "<client>",
 "appidacr": "1"
}

It doesn't exactly looks like what we expected.

I have a few ideas that I want to test and I will post the results.

[EDIT]

The token that I get using the Graph API looks the same and it's working fine:

{
    "aud": "https://graph.windows.net/",
    "iss": "https://sts.windows.net/<tenant>/",
    "iat": 1407767341,
    "nbf": 1407767341,
    "exp": 1407771241,
    "ver": "1.0",
    "tid": "<tenant>",
    "oid": "996481f3-9769-4e02-ab1c-8c4c006da659",
    "sub": "996481f3-9769-4e02-ab1c-8c4c006da659",
    "idp": "https://sts.windows.net/<tenant>/",
    "appid": "<client>",
    "appidacr": "1"
}

So the token doesn't seems to cary the permissions.




回答2:


When you registered your app in Azure AD, did you add permissions for Office 365 Exchange Online? Did you set the Application Permissions or the Delegated Permissions? (The UI shouldn't present any available Application Permissions, since they aren't supported yet, but just to be sure...). The reason is that application permissions are typically shown as 'roles' in the token, while delegated permissions show as 'scp' in the token.

Also, can you decode your access token and compare with this example? You can use http://jwt.calebb.net/ to do a quick parse from the base64-encoded token you get back. If you're stuck, you can post it here, but please remove the client ID, tenant ID, and user information first! I just want to see the structure, along with your aud and scp values (if present). It should look something like:

{
  "typ": "JWT",
  "alg": "RS256",
  "x5t": "kriMPdmBvx68skT8-mPAB3BseeA"
}

{
  "aud": "https://outlook.office365.com/",
  "iss": "https://sts.windows.net/<tenant_id>/",
  "iat": 1407344872,
  "nbf": 1407344872,
  "exp": 1407348772,
  "ver": "1.0",
  "tid": "<your tenant_id>",
  "amr": [
    "pwd"
  ],
  "oid": "169bf758-9811-4f6a-b924-80c6bbd4ad92",
  "upn": <user_email>,
  "unique_name": <user_email>,
  "sub": "2n3Mq5HtdCN1WVQk494lPipvfVxeSZCYATOpWyN92iA",
  "puid": "10037FF56F8936F7",
  "family_name": "Chaves",
  "given_name": "Mack",
  "appid": "<your client_id>",
  "appidacr": "0",
  "scp": "Contacts.Write Calendars.Write Mail.Send Mail.Write",
  "acr": "1"
}

If it looks different, there's an issue with your app registration. Make sure you follow the steps in http://msdn.microsoft.com/EN-US/library/office/dn605894(v=office.15).aspx, specifically the "Manually register your web app in Azure AD", the "Get an application key", and the "Configure API permissions" sections (using Exchange instead of SharePoint, in your case).

EDIT

Login to https://manage.windowsazure.com and navigate to your app. With your app selected, click the Manage Manifest button at the bottom, and choose to download the manifest. Open this with a text editor. Post just the section called "requiredAppPermissions" and I'll check it against mine.



来源:https://stackoverflow.com/questions/25185181/office365-ews-api-the-token-has-invalid-value-roles-for-the-claim-type

易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!