Skip to content
This repository has been archived by the owner on Nov 16, 2023. It is now read-only.

Home

Jump to bottom
wowong edited this page Apr 19, 2017 · 3 revisions

Overview

This library contains class libraries to work with O365 Actionable Messages.

Token Validation

When an user performs a POST action in Actionable Messages, O365 will send a POST request to the targeted web service. In the request's Authentication header, there will be a bearer token issued by O365. The web service should always validate this token for security reason. The ActionableMessageTokenValidator class will make this task easy. The code snippet below is from the POST method of a ASP.Net MVC controller.

    public async Task<HttpResponseMessage> Post([FromBody]string value)
    {
        HttpRequestMessage request = this.ActionContext.Request;
        
        // Validate that we have a bearer token.
        if (request.Headers.Authorization == null ||
            !string.Equals(request.Headers.Authorization.Scheme, "bearer", StringComparison.OrdinalIgnoreCase) ||
            string.IsNullOrEmpty(request.Headers.Authorization.Parameter))
        {
            return request.CreateErrorResponse(HttpStatusCode.Unauthorized, "Bearer token not found.");
        }

        // Validate that the bearer token is valid.
        string bearerToken = request.Headers.Authorization.Parameter;
        ActionableMessageTokenValidator validator = new ActionableMessageTokenValidator();
        ActionableMessageTokenValidationResult result = await validator.ValidateTokenAsync(bearerToken, "https://api.contoso.com");
        if (!result.ValidationSucceeded)
        {
            if (result.Exception != null)
            {
                Trace.TraceError(result.Exception.ToString());
            }

            return request.CreateErrorResponse(HttpStatusCode.Unauthorized, "Invalid bearer token");
        }

        // We have a valid token. We will next verify the sender and the action performer.
        // In this example, we verify that the email is sent by Contoso LOB system
        // and the action performer is john@contoso.com.
        if (!string.Equals(result.Sender, @"lob@contoso.com") ||
            !string.Equals(result.ActionPerformer, "john@contoso.com")
        {
            return request.CreateErrorResponse(HttpStatusCode.Forbidden, string.Empty);
        }

        // Process the request.
        
        return Request.CreateResponse(HttpStatusCode.OK);
    }

Classes

ActionableMessageTokenClaims
ActionableMessageTokenValidator

Clone this wiki locally