Share via

Forbidden error for Exchange Web Service request with Authorization Code Flow

Maxou Mcfly 1 Reputation point
2022-12-06T10:40:15.777+00:00

The Exchange Web Service requests to https://outlook.office365.com/EWS/Exchange.asmx with the access token received by the OAuth 2.0 Authorization Code Flow results to a status code 403 Forbidden.

Steps:

  1. Opening and authorizing the application with https://login.microsoftonline.com/common/oauth2/v2.0/authorize and the parameters:

After authorization with my personal account, this redirects to the specified redirect uri with a code.

  1. Generate a token via https://login.microsoftonline.com/common/oauth2/v2.0/token with the parameters:
    • client_id: 5fafd813-xxx
    • response_type: <redirect uri specified in azure>
    • respone_mode: query
    • scope: openid offline_access email <outlook url>/Calendars.ReadWrite <outlook url>/EWS.AccessAsUser.All
    • client_secret: 6Mp8Q\~4...RD
    • code: <code from the previous step>

      This generates an access token and refresh token

  2. Getting the Calendar Folder Id with a SOAP request by passing the received access token in Authorization: Bearer <access token>: 267736-image.png

Unfortunately this results to 403 Forbidden

Is the scope of the authorization incorrect ? Is the SOAP request incorrect ?

Notes:

  • I tested the SOAP request without impersonation that changed nothing
  • I tested the SOAP request with the Client credentials flow and a private account onmicrosoft that worked correctly
Microsoft Graph
Microsoft Graph
A Microsoft programmability model that exposes REST APIs and client libraries to access data on Microsoft 365 services.
12,323 questions
Exchange Server Development
Exchange Server Development
Exchange Server: A family of Microsoft client/server messaging and collaboration software.Development: The process of researching, productizing, and refining new or existing technologies.
549 questions

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Amit Singh 4,981 Reputation points
    2022-12-08T17:36:00.023+00:00

    According to the OAuth 2.0 specification, the authorization code expires shortly after it is issued, with a maximum authorization code lifetime of 10 minutes (could potentially be shorter). If you are making your requests immediately after receiving your authorization code, you can eliminate this error as a possibility.

  2. Bart Brackenier 0 Reputation points
    2024-08-14T08:31:23.2633333+00:00

    Any update on this, i have same issue, although i have a valid token and logged in succesfully.

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.