I'm trying to access the Office 365 (Graph API) from our Ruby on Rails application (specifically, the Calendar Read API). We're using omniauth for our OAuth2 flows and as such, we have also tried to access the Graph API using the omniauth-office365 and the omniauth-microsoft-office365 gem. But I haven't been able to get an access token with neither of these gems so far.
I have registered our app in the Application Registration Portal, but any time I wanted to get Calendars.Read permission (using scope "profile https://graph.microsoft.com/calendar.read"), I always get the error AADSTS65005: The client application has requested access to resource 'https://graph.windows.net/'. This request has failed because the client has not specified this resource in its requiredResourceAccess list
. Reading more articles about this, I got the impression that I need to actually go through Azure AD, so I signed up for that. But then it seems I have to register a completely new web application in the Azure dashboard that has no link to the previously created application. I gave it a try, but that only results in a AADSTS70002: Error validating credentials. AADSTS50011: The reply address 'https://example.com/auth/office365/callback?code=AQABA...a_very_long_string&session_state=e1029a3b-f6a5-4e7a-940e-18a21ee4c44f' does not match the reply address 'https://example.com/auth/office365/callback' provided when requesting Authorization code.
error.
I'm at the point where I'm completely confused. What is the right way to go about this and to get this to work? It cannot really be that I need to go through Azure AD, right? What is the whole point of the Application Registration Portal then? It would be great if anyone could shed some light...
Thanks, Pascal
Ok, after much fiddling around, I finally got a grip on things. And it doesn't help that there are so many different ways of accessing the different API's, each carrying their specific version, and each with their whole slew of outdated "this is how you do it" articles.
Let me summarize how I got everything to work and lessons learned.
https://outlook.office.com/
, whereas all examples refer to base https://graph.microsoft.com
. Switching to the microsoft_v2_auth gem included in this Ruby sample got me further.AADSTS65005
seemed to have to do with the exact "wording" of the scopes. I've seen wordings like :scope => 'openid email profile offline_access https://graph.microsoft.com/calendar.read'
, but the correct wording is :scope => 'openid email profile offline_access https://graph.microsoft.com/Calendars.Read'
(so plural Calendars and Pascal case). This seemed to solve the problem for me. "Insufficient privileges to complete the operation."
occured after a succesful callback with an access token, but right when the gem wanted to get extra profile information from the /v1.0/me
API. Only after I added https://graph.microsoft.com/User.Read
to the scope in my Ruby application, as well as User.Read
grant in the application registration, the gem seemed to have the permissions it needed and the error went away. NOTE! It seems updating your application configuration can take up to 30 minutes to take effect! This makes it so damn hard to make any progression and find exactly what actions have what effect. Microsoft access tokens expire within one hour, so you will need to refresh your access token often, using a refresh token. You get a refresh token with your initial authorization request, only if you include offline_access
in your scope (see point 4). Then you can use the following type of code:
oauth = OmniAuth::Strategies::MicrosoftV2Auth.new(
nil,
ENV['OFFICE365_KEY'],
ENV['OFFICE365_SECRET']
)
token = OAuth2::AccessToken.new(
oauth.client,
@access_token,
{ refresh_token: @refresh_token }
)
new_token = token.refresh!
@access_token = new_token.token if new_token.token
Also, when testing this it is invaluable to revoke the access token you've acquired during earlier tests. This can be done at myapps.microsoft.com.
I've also run into CSRF errors in this process, in which case you need to clear your cache.
If I find anything else of interest, I'll add it here, in the hopes that noone will have to wander long in these murky API forests. :(
The relationship between the Office 365 API and Azure AD is that Azure AD acts as an authorization server and the Office 365 API is a Resource Server registered with Azure AD.
Follow these steps to get your app working
you might find this SO thread interesting. Also a working example of Accessing graph API in Rails here
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With