none
EWS Manage Api Exchange Online TokenCredentials always returning 401

    Question

  • Hi,

    Im trying to get acces to Exchange Online with the EWS manage api 2.2 and Im trying using this

           ExchangeService service = new ExchangeService();
                service.TraceEnabled = true;
               
                service.Url = new Uri("https://outlook.office365.com/EWS/Exchange.asmx");
                //service.HttpHeaders.Add("Authorization", "Bearer " + token);
                service.Credentials = new TokenCredentials(token);
                //service.PreAuthenticate = true;
                //service.SendClientLatencies = true;
                //service.EnableScpLookup = false;

    Always I get 401 unauthorized the token I get Azure Ad Authentication library , with this code

       var authenticationContext = new AuthenticationContext(_config.AuthString, false);
                // Config for OAuth client credentials 
                var clientCred = new ClientCredential(_config.ClientId, _config.ClientSecret);
                AuthenticationResult authenticationResult = authenticationContext.AcquireToken(_config.ResourceUrl,clientCred);
                string token = authenticationResult.AccessToken;

    The app is registered on Azure Ad and have all the permision ,

    Im missing something? There is somewhere  a working example?

    I thinks is the same problem that is explained  here


    Live like you'll die tomorrow, learn like you'll live forever. Blog


    Friday, January 09, 2015 9:21 PM

All replies

  • As your link says, don't use TokenCredentials, it doesn't work with OAuth tokens. Instead just put the token value in the Authorization header.

    ExchangeService service = new ExchangeService(ExchangeVersion.Exchange2013);
    string accessToken = GetAccessToken();
    if (!string.IsNullOrEmpty(accessToken))
        service.HttpHeaders.Add("Authorization", "Bearer " + accessToken);

    Where GetAccessToken is basically a wrapper around your ADAL code snippet.

    Friday, January 09, 2015 10:27 PM
    Moderator
  • I tried that but is not working, 


    Live like you'll die tomorrow, learn like you'll live forever. Blog

     I get this line on the responser headers

     {[x-ms-diagnostics, 2000010;reason="The access token is acquired using an authentication method that is too weak to allow access for this application. Presented auth strength was 1, required is 2.";error_category="insufficient_auth_strength"]}

    Monday, January 12, 2015 4:27 AM
  • Interesting. How did you register this app, and what permissions did you grant? Is it a web app or a native app?
    Tuesday, January 13, 2015 3:58 PM
    Moderator
  • Is a web App , and it have full acces permitions , read and write on Azure AD and on Exchange Online  full acces 

    Live like you'll die tomorrow, learn like you'll live forever. Blog

    Tuesday, January 13, 2015 4:56 PM
  • If you parse the token, what is the value of the scp claim?
    Wednesday, January 14, 2015 4:48 PM
    Moderator
  • Got this "nuclear bomb", as i call this type of unexpected issues, in response too.

     {[x-ms-diagnostics, 2000010;reason="The access token is acquired using an authentication method that is too weak to allow access for this application. Presented auth strength was 1, required is 2.";error_category="insufficient_auth_strength"]}

    As i see, have to use a trusted certificate via ADAL (not self-signed), i guess, to get prtectio level 2.

    But all i initially was need - edit subject of an item at read-view outlook web (content) app...

    Friday, January 30, 2015 9:05 PM
  • I faced this issue too.. I registered app wit Visual Studio 2013 Office tools "Add Connected Service" feature...
    Friday, January 30, 2015 9:06 PM
  • Are you trying to use client credential OAuth flow rather than authorization code grant flow? You can use self-signed cert but it has to be added to the app manifest in Azure. http://blogs.msdn.com/b/exchangedev/archive/2015/01/22/building-demon-or-service-apps-with-office-365-mail-calendar-and-contacts-apis-oauth2-client-credential-flow.aspx
    Friday, January 30, 2015 9:11 PM
    Moderator
  • I've been fighting with this issue for almost a week. I am trying to write a daemon application but I cannot make it to do even minimum. I am using NodeJS and node-outlook. I tried several self-signed certificates using sha1, md5, sha265 algorithms. The problem is the same:

    ERROR: { UNSENT: 0,
      OPENED: 1,
      HEADERS_RECEIVED: 2,
      LOADING: 3,
      DONE: 4,
      readyState: 4,
      onreadystatechange: [Function],
      responseText: '',
      responseXML: '',
      status: 401,
      statusText: null,
      open: [Function],
      setDisableHeaderCheck: [Function],
      setRequestHeader: [Function],
      getResponseHeader: [Function],
      getAllResponseHeaders: [Function],
      getRequestHeader: [Function],
      send: [Function],
      handleError: [Function],
      abort: [Function],
      addEventListener: [Function],
      removeEventListener: [Function],
      dispatchEvent: [Function] }
    Headers content-length: 0
    server: Microsoft-IIS/8.0
    request-id: db48cb4f-31e8-485f-a534-175e6c4d4daa
    x-calculatedbetarget: BLUPR10MB0594.namprd10.prod.outlook.com
    x-backendhttpstatus: 401
    x-ms-diagnostics: 2000010;reason="The access token is acquired using an authenti
    cation method that is too weak to allow access for this application. Presented a
    uth strength was 1, required is 2.";error_category="insufficient_auth_strength"
    x-diaginfo: BLUPR10MB0594
    x-beserver: BLUPR10MB0594
    x-powered-by: ASP.NET
    x-feserver: BLUPR0401CA0021
    www-authenticate: Bearer client_id="00000002-0000-0ff1-ce00-000000000000", trust
    ed_issuers="00000001-0000-0000-c000-000000000000@*", token_types="app_asserted_u
    ser_v1", authorization_uri="https://login.windows.net/common/oauth2/authorize",
    error="invalid_token",Basic Realm="",Basic Realm=""
    date: Thu, 25 Jun 2015 18:52:23 GMT
    connection: close

    Has anybody resolved the issue?

    Thursday, June 25, 2015 7:26 PM
  • People, is there some Microsoft forum where I could actually get answers about this issue?

    I followed the instructions published here http://blogs.msdn.com/b/exchangedev/archive/2015/01/22/building-demon-or-service-apps-with-office-365-mail-calendar-and-contacts-apis-oauth2-client-credential-flow.aspx, and it is still not working.

    Was anybody successful in defeating this "The access token is acquired using an authentication method that is too weak to allow access for this application. Presented auth strength was 1, required is 2." error in NodeJs/node-outlook?

    Thanks in advance.

    Friday, June 26, 2015 3:52 PM
  • Has somebody found a solution for the problem? 

    I have the same "access token is too weak" problem. 

    chn

    Tuesday, May 08, 2018 7:59 AM