Outlook 365 Rest API - The audience claim value is invalid

Question

I am working on a current project where we already using Identity Server to auth. Here we use the Access token to access the microsoft Graph API to get Meetings, profile pictures and other stuff.

Now we want to make an integration to the new Outlook 365 API to read and in the future write tasks.

I am trying to get Outlook tasks from the Outlook restapi using already existing accesstoken:

{
  "aud": "https://graph.microsoft.com",
  "iss": "https://sts.windows.net/17e18230-55e1-4f60-8262-5c67e2b2ab11/",
  "iat": 1145153145,
  "nbf": 1491225024,
  "exp": 1491258924,
  "acr": "1",
  "aio": "QSQA8/8DAFFFInSl+iIfvSXhA95NqTYRmKugpaLdvffNkba0L8N5x0U=",
  "amr": [
    "pwd"
  ],
  "app_displayname": "AwesomeApp.Dev",
  "appid": "0c2fgc75-f2ee-fas5-ae9f-fasd2s5d523fs",
  "appidacr": "1",
  "family_name": "Jesper Krægpøth Ryder",
  "given_name": "Joshua",
  "ipaddr": "208.67.222.222",
  "name": "Joshua Jesper Krægpøth Ryder",
  "oid": "a4586g1-d0215-3226-ar05-125463gasrqw5",
  "platf": "3",
  "puid": "654wf84yu3s1g6",
  "scp": "Calendars.Read Calendars.Read.Shared Calendars.ReadWrite Directory.Read.All Files.ReadWrite Group.Read.All Mail.ReadWrite Mail.Send Tasks.Read User.Read User.ReadBasic.All User.ReadWrite",
  "sub": "0s_x0JhaNb1QLpIM2Hldx7pSVkrpTgXKe4QPXXiRguQ",
  "tid": "15e18430-54e9-4f60-8821-5c85e2b2ab77",
  "unique_name": "[email protected]",
  "upn": "[email protected]",
  "uti": "65a2gasdrfasda_fasfa54153",
  "ver": "1.0"
}

https://outlook.office.com/api/v2.0/me/tasks

Error message:

Content-Length →0
Date →Tue, 04 Jul 2017 08:35:21 GMT
Server →Microsoft-IIS/10.0
WWW-Authenticate →Bearer client_id="00000002-0000-0ff1-ce00-000000000000", 
trusted_issuers="00000001-0000-0000-c000-000000000000@*", 
token_types="app_asserted_user_v1 service_asserted_app_v1", 
authorization_uri="https://login.windows.net/common/oauth2/authorize", 
error="invalid_token",Basic Realm="",Basic Realm="",Basic Realm=""
X-BEServer →HE1PR0901MB1194
X-BackEndHttpStatus →401, 401
X-CalculatedBETarget →HE1PR0901MB1194.eurprd09.prod.outlook.com
X-CalculatedFETarget →HE1P190CU001.internal.outlook.com
X-DiagInfo →HE1PR0901MB1194
X-FEProxyInfo →HE1P190CA0005.EURP190.PROD.OUTLOOK.COM
X-FEServer →HE1P190CA0005, HE1PR0201CA0031
X-MSEdge-Ref →Ref A: C32D029EF8F84E68BF6327901BBED14F Ref B: HEL01EDGE0307 
Ref C: Tue Jul 4 01:35:21 2017 PST
X-Powered-By →ASP.NET 
request-id →2266567a-dd67-48f0-b3b4-72cfb5ee6b42
x-ms-diagnostics →2000003;reason="The audience claim value is invalid 
'https://graph.microsoft.com'.";error_category="invalid_resource"

On the identity server we are using the middle ware to handle our scopes like so:

        app.UseMicrosoftAccountAuthentication(new MicrosoftAccountOptions
        {
            AuthenticationScheme = "Microsoft",
            DisplayName = "Microsoft",
            SignInScheme = cookieScheme,
            ClientId = Configuration.GetValue<string>("ExternalKeys:SecretMicrosoftClientId"),
            ClientSecret = Configuration.GetValue<string>("ExternalKeys:SecretMicrosoftClientSecret"),
            CallbackPath = new PathString("/signin-microsoft"),
            Scope =
            {
                "offline_access",
                "Calendars.Read",
                "Calendars.Read.Shared",
                "https://outlook.office.com/tasks.read"
            },

            SaveTokens = true,

        });

When we try to login, we get prompted with the additional Tasks access requirement. So we should have access to the tasks API.

Anyone else tried to use both Microsoft graph API and new Outlook 365 Rest API?

Answer 1

New answer:
Api has now been released and can be found here https://msdn.microsoft.com/en-us/office/office365/api/task-rest-operations

Working scopes for our project:

Scope =
{
    "offline_access",
    "Calendars.Read",
    "Calendars.Read.Shared",
    "Tasks.Readwrite"
},

Old answer:

You cannot use a token issued for Graph ("aud": "https://graph.microsoft.com") against the Outlook endpoint. You need a token with "aud": "https://outlook.office.com". To get that you would need to do another auth request to Azure with all of your scopes fully-qualified with the Outlook domain:

Scope =
{
    "offline_access",
    "https://outlook.office.com/Calendars.Read",
    "https://outlook.office.com/Calendars.Read.Shared",
    "https://outlook.office.com/tasks.read"
},

However, since you're already using Graph, you could just access tasks via the Graph too :). Graph recently added task support to their beta endpoint: https://developer.microsoft.com/en-us/graph/docs/api-reference/beta/resources/outlooktask.