Forbidden error for Exchange Web Service request with Authorization Code Flow

Question

The Exchange Web Service requests to https://outlook.office365.com/EWS/Exchange.asmx with the access token received by the OAuth 2.0 Authorization Code Flow results to a status code 403 Forbidden.

Steps:

1. Opening and authorizing the application with https://login.microsoftonline.com/common/oauth2/v2.0/authorize and the parameters:

• client_id: 5fafd813-xxx
• response_type : <redirect uri specified in azure>
• respone_mode : query -scope:openid offline_access email https://outlook.office.com/Calendars.ReadWrite https://outlook.office.com/EWS.AccessAsUser.All\`

After authorization with my personal account, this redirects to the specified redirect uri with a code.

2. Generate a token via https://login.microsoftonline.com/common/oauth2/v2.0/token with the parameters:
   • client_id: 5fafd813-xxx
   • response_type: <redirect uri specified in azure>
   • respone_mode: query
   • scope: openid offline_access email <outlook url>/Calendars.ReadWrite <outlook url>/EWS.AccessAsUser.All
   • client_secret: 6Mp8Q\~4...RD
   • code: <code from the previous step>

     This generates an access token and refresh token

3. Getting the Calendar Folder Id with a SOAP request by passing the received access token in Authorization: Bearer <access token>:

Unfortunately this results to 403 Forbidden

Is the scope of the authorization incorrect ? Is the SOAP request incorrect ?

Notes:

• I tested the SOAP request without impersonation that changed nothing
• I tested the SOAP request with the Client credentials flow and a private account onmicrosoft that worked correctly

Answer 1

According to the OAuth 2.0 specification, the authorization code expires shortly after it is issued, with a maximum authorization code lifetime of 10 minutes (could potentially be shorter). If you are making your requests immediately after receiving your authorization code, you can eliminate this error as a possibility.