Cannot obtain access token using OAuth2 with Exchange

Question

I am attempting to use OAuth2 to access an Exchange mailbox, but I'm having trouble with the OAuth protocol. I'm not using a library, just making direct http calls (using libcurl). I'm using documentation found here:

https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-protocols-oauth-code

I have successfully obtained the authorization code, now I'm trying to use that to obtain the access token. The response in the returned json is "invalid grant, Transmission data parser failure: Authorization Code is malformed or invalid.". HTTP error 400. Below is the entire flow that I'm generating:

Obtaining Auth code:

Start IE with this url:

https://login.microsoftonline.com/common/oauth2/authorize?client_id=38f1da80-9f80-4ff6-84a8-27c83d7212d3&redirect_uri=https%3A%2F%2Flogin.microsoftonline.com%2Fcommon%2Foauth2%2Fnativeclient&resource=https%3A%2F%2Foutlook.office.com%2F&response_type=code&scope=openid+Mail.ReadWrite

At this point, the user is presented with the Microsoft login screen. He enters his credentials, then is asked to approve access to the requested scopes. He does so. Next, at the redirect URL, we receive the data:

https://login.microsoftonline.com/common/oauth2/nativeclient?code=AQABAAIAAAA9kTklhVy7SJTGAzR-p1BcUmXu0izUoOslqxHN85yR0vAVKicFVbtjs3IsKScxeBuTmxBsVy8qT3axn5YaDt_O6M4YVcAk--kpJ-dnNbKtnovjHIxGwtdRawo53UU9u19YP5ST5a8Ekffnxh0Z2gbBM_sKbmbhx2E-y_xs1spgV8gF6im39tLWo

Obtaining token:

The application extracts the data after "code=", then posts to this url:

https://login.microsoftonline.com/common/oauth2/token

this data:

grant_type=authorization_code&client_id=38f1da80-9f80-4ff6-84a8-27c83d7212d3&code=AQABAAIAAAA9kTklhVy7SJTGAzR-p1BcUmXu0izUoOslqxHN85yR0vAVKicFVbtjs3IsKScxeBuTmxBsVy8qT3axn5YaDt_O6M4YVcAk--kpJ-dnNbKtnovjHIxGwtdRawo53UU9u19YP5ST5a8Ekffnxh0Z2gbBM_sKbmbhx2E-y_xs1spgV8gF6im39tLWo&redirect_uri=https%3A%2F%2Flogin.microsoftonline.com%2Fcommon%2Foauth2%2Fnativeclient&resource=https%3A%2F%2Foutlook.office.com%2F

This post results in http error 400, and the returned data is:

{"error":"invalid_grant","error_description":"AADSTS70000: Transmission data parser failure:Authorization Code is malformed or invalid....}

Can anybody take a look at what I've done and suggest where I'm going wrong? As an aside, I have tried running a Powershell script suggested by Shawn - this script uses my existing application ID and obtains an auth code and token using ADAL. This seemed to work, so I suspect the problem is in my code, not the application configuration in Azure.

Answer 1

I believe you are mixing up the Azure Active Directory V2 endpoint with the V1 endpoint.

Specifically, the document you have linked, and say you are following, is meant for the AAD V1 endpoint and uses the following URLS (as documented):

https://login.microsoftonline.com/{tenant}/oauth2/authorize

https://login.microsoftonline.com/{tenant}/oauth2/token

Note: There is no /v2.0/ in the urls.

Another issue I see with your token request is that you are not specifying a resource . I believe this is required if you want to acquire an access token to a specific resource. In the case of Exchange Online, you want to specify the resource https://outlook.office.com/ .

Note that if possible, Office 365 suggests that you use the Microsoft Graph ( https://graph.microsoft.com/ ) instead of the Exchange API directly. If you are okay with this, then you should probably also use the AAD V2 endpoint. The equivalent article for the V2 endpoint as the one you listed above is here .

Let me know if this solves your issues.