Access to Outlook RestAPI from an Outlook web Add-in

Question

I developed an Outlook Web Add-in that is working fine. It's a Taskpane that is available in compose mode of appointments and that collects event's data, adds a few ones and send that all to an API somewhere.

What I would like to do now is to subscribe the authenticated user to the Outlook Rest API in order to get notified when the event is deleted.

The subscription call should look like this one:

POST https://outlook.office.com/api/v2.0/me/subscriptions HTTP/1.1 
Content-Type: application/json 
{ 
  @odata.type:"#Microsoft.OutlookServices.PushSubscription", 
  Resource: "https://outlook.office.com/api/v2.0/me/events", 
  NotificationURL: "https://myNotifAPI.azurewebsites.net/api/send/myNotifyClient", 
  ChangeType: "Deleted", 
  ClientState: "blabla" 
}

I know I need to provide a valid Authentication Bearer Token when posting to the subscriptions URL so I tried to call this method in my Add-In:

_mailbox = Office.context.mailbox;
_mailbox.getUserIdentityTokenAsync(getUserIdentityTokenCallback);

In the function getUserIdentityTokenAsync, I call a WebApi Controller that validates my token and send it back to the Add-In:

AppIdentityToken token = (AppIdentityToken)AuthToken.Parse(rawToken);
token.Validate(new Uri(request.AudienceUrl));
return token;

I tried to use that token to Post to https://outlook.office.com/api/v2.0/me/subscriptions (using Postman) but I got a 401 saying:

reason="The audience claim value is invalid '<MyAddInURL>'.";error_category="invalid_resource"

Is it the right Token to use in that particular case or do I need to get another one? Any advices would be appreciated!

-- EDIT --

As suggested by @benoit-patra I tried to get a token using getCallbackTokenAsync instead of getUserIdentityTokenAsync but when I called https://outlook.office.com/api/v2.0/me/subscriptions I did receive a 403 :

"error": {
    "code": "ErrorAccessDenied",
    "message": "The api you are trying to access does not support item scoped OAuth."
  }

As requested by @benoit-patra here's the Token content :

{
  "nameid": "9d643d8c-b301-4fe1-83f7-bf41b1749379@57bcd3d9-685a-4c41-8c7d-xxxxxx",
  "ver": "Exchange.Callback.V1",
  "appctxsender": "https://localhost:44444/NewAppointment.html@57bcd3d9-685a-4c41-8c7d-xxxxxx",
  "appctx": {
    "oid": "3a8a4f92-a010-40bd-a093-xxxxxx",
    "puid": "10033FFF9xxxxx",
    "smtp": "[email protected]",
    "upn": "[email protected]",
    "scope": "ParentItemId:AAMkADE4NTk2MDNjLTI4NGEtNDZkNS1hMzg4LTE3MzI2NGJhZWRkZQBGAAAAAAD+YYA7CnMtRZsrwJ7l6m44BwCcSer9F+cXSrWNauuHQlZ7AAAAAAENAACcSer9F+cXSrWNaxxxxxxxx"
  },
  "iss": "00000002-0000-0ff1-ce00-000000000000@57bcd3d9-685a-4c41-8c7d-xxxxx",
  "aud": "00000002-0000-0ff1-ce00-000000000000/outlook.office365.com@57bcd3d9-685a-4c41-8c7d-xxxx",
  "exp": 1487087672,
  "nbf": 1487087372
}

Answer 1

The previous answer is right, the error is because you are getting an item scoped token. Because previously Callback tokens only allowed a caller to call GetItem and GetItemAttachment REST APIs. We are making changes to the callback token so that clients can call REST of the APIs as well. The requirement is first you should have readWriteMailBox permission. Second get a REST callback token by providing isRest=true, like below

Office.context.mailbox.getCallbackTokenAsync({ isRest: true }, function (result))

The resulting token will have Mail.ReadWrite, Calendar.ReadWrite, Contacts.ReadWrite, and Mail.Send Scopes.

That said the isRest parameter is only supported for outlook mobile client right now. The work to support it on OWA and Outlook is in progress and we expect to release it by March.