All geek questions in one place

Permission denied (403) when trying to create a calendar event

I am trying to integrate into the Office365 API via JavaScript with adal.js and jQuery (an implicit OAuth stream), but I am having problems trying to create a calendar event for my user. My existing code works fine when receiving emails and calendar events, but when I try to create a calendar event, I get the answer "403 - Forbidden."

The code works and works http://oauth.idippedut.dk/oauth.html . I am accessing the API 365 API endpoint at https://outlook.office.com/api/v2.0/me/events .

My configuration for "delegated permissions" in an application in our Active Directory for Office365 / Azure: enter image description here

Configuration for "Application Permissions" in the application in our Active Directory Active Directory for Office365 / Azure: enter image description here

The jQuery query is as follows:

var event = { "Subject": "Discuss the Calendar REST API", "Body": { "ContentType": "HTML", "Content": "I think it will meet our requirements!" }, "Start": { "DateTime": "2016-01-21T18:00:00", "TimeZone": "Pacific Standard Time" }, "End": { "DateTime": "2016-01-21T19:00:00", "TimeZone": "Pacific Standard Time" }, "Attendees": [ { "EmailAddress": { "Address": " jesper@lundstocholm.dk ", "Name": "Janet Schorr" }, "Type": "Required" } ] }; // Create calendar events jQuery.ajax({ type: 'POST', url: postCalenderEndpoint, data: JSON.stringify(event), contentType: "application/json", headers: { 'Accept': 'application/json', 'Authorization': 'Bearer ' + token, }, }).done(function (data) { //alert(JSON.stringify(data)); }).fail(function (err) { jQuery("#loginMessage").text('Error calling REST endpoint: ' + err.statusText + '\n' + err.responseText); });

The jQuery configuration is as follows:

 var resource = 'https://outlook.office.com'; var postCalenderEndpoint = 'https://outlook.office.com/api/v2.0/me/events'; var clientID = '28a707a5-0f11-4d93-8b88-6a918544da14'; var tenantName = '365projectum.onmicrosoft.com'; var authContext = new AuthenticationContext({ instance: 'https://login.microsoftonline.com/', tenant: tenantName, clientId: clientID, postLogoutRedirectUri: window.location.origin, cacheLocation: 'localStorage' });

And the resulting HTTP request is as follows:

 Host: outlook.office.com User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:43.0) Gecko/20100101 Firefox/43.0 Accept: application/json Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/json; charset=UTF-8 Authorization: Bearer <my token> Referer: http://oauth.idippedut.dk/oauth.html Content-Length: 386 Origin: http://oauth.idippedut.dk Connection: keep-alive {"Subject":"Discuss the Calendar REST API","Body":{"ContentType":"HTML","Content":"I think it will meet our requirements!"},"Start":{"DateTime":"2016-01-21T18:00:00","TimeZone":"Pacific Standard Time"},"End":{"DateTime":"2016-01-21T19:00:00","TimeZone":"Pacific Standard Time"},"Attendees":[{"EmailAddress":{"Address":" jesper@lundstocholm.dk ","Name":"Janet Schorr"},"Type":"Required"}]}

I am really puzzled by why I get 403, since everything needs to be configured correctly.

Any help would be greatly appreciated :-)

/ Jesper

+5
source share
3 answers

You have configured delegated permissions for Microsoft Graph, but you are invoking the Outlook endpoint. You need to do one of the following: 1. Change the configuration of your application to delegated permissions for Outlook / Office 365 Exchange Online. 2. Modify the application to use the Microsoft Graph endpoint (graph.microsoft.com), that is, https://graph.microsoft.com/v1.0/me/events and save the current application configuration.

+2
source

try https://graph.microsoft.com "as a resource to get the (right) token.

Yours faithfully,

Aj

+1
source

Have you registered the application with the permission request "Read user and shared calendars", and then added the permission "Full access to user calendars"? If so, you may be in a situation where users have agreed to the previous permission, and since this consent is in place, they are no longer asked to give their consent to add a new permission. This explains why your application can read but cannot write.

You would only be in this situation with users who agreed BEFORE you added a new permission, and only if users actually agreed. Users would not have to agree if you registered the application as an administrator and signed up with users in the same tenant as the administrator. Users must agree if you registered the application as a regular user or the application is a multi-user application.

If this is one of two options, an easy way to make sure that this is a problem is to try using the application as a completely new user who previously did not agree. This new user would agree to all permissions requested by the application. Please note that if this application is with the consent of the administrator, then you will need a clean new tenant to agree.

If this solves the problem, you need to force your existing users to go through the step to which you send a new OAuth authorization request using the prompt = permission parameter to give them permission again.

0
source

Source: https://habr.com/ru/post/1240903/

More articles:


All Articles