401 Unauthorized when using service account app-only token to make API calls

[keshi87]

I started out getting the App-only token to ensure my app is authorized by the admin to silently perform actions across all users. I have been using the graph APIs for a lot of my use cases but the graph API(nor the outlook API) supports things like getting the current list of rules etc. The token has the permissions required to access EWS APIs.

I then decided to use EWS API as it mentioned it has support for InboxRules management. However it does not seem to accept the token I have from my app in azure AD.
However I get a 401 Unauthorized instead of the error your seeing.

Exception in thread "main" microsoft.exchange.webservices.data.core.exception.service.remote.ServiceRequestException: The request failed. The request failed. The remote server returned an error: (401)Unauthorized at microsoft.exchange.webservices.data.core.request.SimpleServiceRequestBase.internalExecute(SimpleServiceRequestBase.java:74) at microsoft.exchange.webservices.data.core.request.GetInboxRulesRequest.execute(GetInboxRulesRequest.java:143) at microsoft.exchange.webservices.data.core.ExchangeService.getInboxRules(ExchangeService.java:3459) at com.paloaltonetworks.aperture.token.ExchangeTokenService.getRules(ExchangeTokenService.java:164) at com.paloaltonetworks.aperture.token.ExchangeTokenService.main(ExchangeTokenService.java:193) Caused by: microsoft.exchange.webservices.data.core.exception.service.remote.ServiceRequestException: The request failed. The remote server returned an error: (401)Unauthorized at microsoft.exchange.webservices.data.core.request.ServiceRequestBase.validateAndEmitRequest(ServiceRequestBase.java:644) at microsoft.exchange.webservices.data.core.request.SimpleServiceRequestBase.internalExecute(SimpleServiceRequestBase.java:62) ... 4 more Caused by: microsoft.exchange.webservices.data.core.exception.http.HttpErrorException: The remote server returned an error: (401)Unauthorized at microsoft.exchange.webservices.data.core.request.ServiceRequestBase.getEwsHttpWebResponse(ServiceRequestBase.java:723) at microsoft.exchange.webservices.data.core.request.ServiceRequestBase.validateAndEmitRequest(ServiceRequestBase.java:639) ... 5 more

Is this because I cannot use the token I got for 'graph.microsoft.com' with the admin access? If not which token should I use and how do I go about getting it?

[keshi87]

Update: It seems like the TokenCredentials class has nothing to do with OAuth and it was added in for SAML? I dont see a way to push the access token I have in as a "Authorization: Bearer %s" header.

[keshy]

Forgot to update here but I believe what I found may help others. The app-only token does indeed work with the EWS managed APIs. I had to write a new OAUthCredentialHelper class that extends ExchangeCredentials and add the bearer token.

At service registration you can use it in the following way:

ewsService = new ExchangeService();
// set your url either via autodiscovery or other means
ewsService.setTraceEnabled(true);
ewsService.setCredentials(new OAuthCredentials(app_only_token));

[dsebastien]

@keshy could you share the code of your OAuthCredentialHelper with us?

[keshy]

Sure - you can find it here
https://gist.github.com/keshy/0ec56956e91e59e14fee7a892a7af919

[PvanHengel]

This works great! Thank you spent a few hours trying to debug why the default ExchangeCredentials credentials = new TokenCredentials(token); does not work, its because it does not add the headers. I think this feature should be added to the code base for sure.