Office-js: Rest request with token obtained via getCallbackTokenAsync for shared mailbox fails with 403 if the manifest is deployed using centralized deployment

Created on 3 May 2020  路  9Comments  路  Source: OfficeDev/office-js

We are using Office JS API to get information for the current message that the user is viewing in a shared mailbox via the Rest API.
The user has delegated permissions.

Expected Behavior

Request should return information for the current mail

Current Behavior

Information is returned successfully only if the addin is deployed manually via Get Add-ins.
If the addin is deployed using centralized deployment from the admin center, Error 403 is returned:

HTTP403: FORBIDDEN - The server understood the request, but is refusing to fulfill it.

x-ms-diagnostics: 2000008;reason="Delegate access to this API requires the following permissions: 'Mail.Read.All,Mail.Read.Shared,Mail.ReadBasic.All,Mail.ReadBasic.Shared,Mail.ReadWrite.All,Mail.ReadWrite.Shared,Mail.Write.All,Mail.Write.Shared'. However, the application only has the following permissions granted: 'Mail.ReadWrite,Mail.Send,Calendars.ReadWrite,Contacts.ReadWrite'.";error_category="invalid_grant"

Steps to Reproduce, or Live Example

  1. Create addin manifest, that will allow usage in shared mailboxes with properly set SupportsSharedFolders in it.
  2. Deploy the addin using centralized deployment from the admin center
  3. Open the addin for mail in a shared mailbox for which the user has delegated permissions
  4. Execute Rest request to obtain data for the currently viewed mail
Office.context.mailbox.getCallbackTokenAsync({
    isRest: true
}, function (result) {
    var id = Office.context.mailbox.convertToRestId(Office.context.mailbox.item.itemId, Office.MailboxEnums.RestVersion.v2_0);
    if (result.status === "succeeded") {
        window.Office.context.mailbox.item.getSharedPropertiesAsync(function (options) {
            if (options.status === "succeeded") {
                fetch(options.value.targetRestUrl + "/v2.0/users/" + options.value.targetMailbox + "/messages/" + id
                    , {
                        headers: {
                            'Authorization': "Bearer " + result.value,
                            'Content-Type': 'application/json'
                        }
                    }
                ).then(function (r) {
                    console.log(r);
                }).catch(function (e) {
                    console.log("error:", e)
                });
            } else {
                console.log("Error fetching shared options");
            }
        });
    } else {
        console.log("Error obtaining token.");
    }
});

Context

Your Environment

  • Platform: PC desktop, Office Online
  • Host: Outlook
  • Office version number: Office 16.0.12624.20422, Outlook Version 2003 (Build 12624.20520)
  • Operating System: Windows 10 Home version 1909 OS build 18363.778
  • Browser: Chrome, Edge, Firefox
Outlook fixed
Source
picture plamenbotev

Most helpful comment

This affecting our users. Any ETA on this.

picture bx-anil on 8 Jun 2020
👍3

All 9 comments

@exextoc - Do you mind looking into this issue? Thanks!

mscharlock picture mscharlock on 4 May 2020

We have the same issue.

The deployed add-in fails with a 403 error for API calls for a shared mailbox item e.g.
https://outlook.office.com/api/v2.0/users//messages/

But works as expected for Inbox items e.g.
https://outlook.office.com/api/v2.0/me/messages/

Our manifest <Permissions> is set to: ReadWriteMailbox

JamesBigChange picture JamesBigChange on 7 May 2020

Hello @mscharlock @exextoc
Just writing to check if there is any information regarding this issue?
We are currently struggling to make any calls to the REST services from within a shared mailbox if the addin is deployed using centralized deployment and that is causing issues for us in production.

Best Regards

plamenbotev picture plamenbotev on 12 May 2020

Thanks for reporting this issue regarding getCallbackTokenAsync in an add-in which is deployed using Centralized deployment. It has been put on our backlog. We unfortunately have no timelines to share at this point.

exextoc picture exextoc on 13 May 2020

This affecting our users. Any ETA on this.

bx-anil picture bx-anil on 8 Jun 2020
👍3

Also note that the itemId on shared calendar item is different for Desktop vs OWA.
Can you please prioritize the fix for this or provide a workaround. Shared Calendar is a big use case for us.
Let us know if using Graph API will work. Reason I'm asking is because the itemId on desktop vs OWA is different and this is input for Graph API too.

bx-anil picture bx-anil on 15 Jun 2020

tracked internally with bug 1496409 (BLR)

JuaneloJuanelo picture JuaneloJuanelo on 22 Jul 2020

I have recently experienced an issue that looks the same as this. In my case though I am iterating through a number of attachments on an email. The problem seems to occur intermittently. For example I get through 10 out of 20 attachments then start receiving the 403 errors. So I thought it might be related to the access token becoming invalid after it reaches a timeout. I was wondering if this could possibly account for what others might be experiencing?

I guess I was wondering is there was much time passing between your call to Office.context.mailbox.getCallbackTokenAsync and subsequent calls using the retrieved token?

Are you getting the 403 error consistently or intermittently?

Thanks

davyarris picture davyarris on 23 Jul 2020

We have fixed the bug and depending on the release channel a customer is on, getting an updated build can take anywhere from 4-6 weeks.

exextoc picture exextoc on 23 Jul 2020
Was this page helpful?
0 / 5 - 0 ratings

Related issues

sshukurov picture sshukurov  路  4Comments
alx-andru picture alx-andru  路  5Comments
rvanlaak picture rvanlaak  路  4Comments
dgrudenic picture dgrudenic  路  4Comments
mattblackdev picture mattblackdev  路  4Comments