EWS Soap API access with MSAL example

[guidedways]

This is more of a question. I’ve stumbled across MSAL just recently after looking into ADAL. We have a client app that logs in a user using basic authentication (autodiscovery) in order to access the SOAP end points for managing their calendars. This is working fine, but of course given companies have started moving towards SSO and MFA, this doesn’t work.

I’m hoping integration with MSAL will allow us to continue to do what we were doing, apart from the authentication bit? And instead of sending Basic Auth headers, we would use the OAuth token?

Is there a working example for this demonstrating accessing of EWS soap endpoints? Preferably for macOS?

[guidedways]

@oldalton could you help with this?

[guidedways]

Thanks for the recent support for macOS.

I've got MSAL up and running, and am successfully able to obtain a token. However, this may sound naive, but how do you obtain the end-point to make API calls on (for EWS)? So for instance, if someone uses MSAL to successfully authenticate, should I assume that the end point would always be https://outlook.office365.com? I'm using the https://outlook.office365.com/EWS.AccessAsUser.All scope.

Would this work for any Office 365 account, even if it's something like myemail@somewhere.in.de?

[oldalton]

@guidedways, https://outlook.office365.com should work for all worldwide cloud accounts. Just to confirm, is the question how to enable the same with sovereign clouds in mind (e.g. if a user is from German cloud)?

[guidedways]

Thank you! That answers my question. I'm not exactly sure what a sovereign account is - but by the sound of it, I may not need to separately support it (unless it's a flag I set somewhere to support everything under the sun + sovereign accounts)?

I'm super thrilled that MSAL on macOS is finally working for us.

[oldalton]

Yes, you'd need to support it separately (both in your app registration and passing different scope). Here's some more information about AAD sovereign clouds: https://docs.microsoft.com/en-us/azure/active-directory/develop/authentication-national-cloud. Let me know if you have questions.

[guidedways]

@oldalton Thank you! I'll go through the document and let you know if I have questions. I'm not sure if this is related, but this issue has just come up: https://github.com/AzureAD/microsoft-authentication-library-for-objc/issues/627

Could you help? I've read on Okta's support website that they support ADAL. They don't mention MSAL anywhere, so does that mean we should be using ADAL instead?

[oldalton]

I'm not aware of any limitations for not using MSAL, but let me take a closer look on your issue.

[guidedways]

@oldalton Thank you so much, and please disregards. This was due to user error. They've just written back saying it's working perfectly!

[guidedways]

@oldalton I’m writing back in regards to the sovereign cloud setup you mentioned above. I’ve gone through the documentation and I can see how there exist separate end points for certain regions, and so we need to setup our app in each of those regions separately. However what I don’t understand is how the app would know or device which particular cloud to use (the global one or the German one for instance). How can we decide at runtime without asking the user this question or offering them some kind of drop down? Or is that going to be necessary? I’m worried this may confuse the user. Offering them more options than needed would only increase the confusion for those that don’t know what this means.

[oldalton]

Sorry for a late reply on this one. I wanted to have a bit better support for this scenario before providing a sample.

We just added a new flag in MSAL to support this scenario: https://azuread.github.io/microsoft-authentication-library-for-objc/Classes/MSALPublicClientApplicationConfig.html#/c:objc(cs)MSALPublicClientApplicationConfig(py)multipleCloudsSupported

If you set this flag to YES, you can always start your interactive token acquisition from the default authority of "https://login.microsoftonline.com/common". Depending on the end user's cloud, correct authority will be discovered during the authorization flow and returned back to the application in the MSALResult. Note that your clientId needs to be registered in other sovereign clouds for this to work.

[guidedways]

@oldalton Thanks! A couple of questions:

1. Why is this not switched ON by default? Should we worry about any other issues?

2. We're stuck on v0.50 on the mac because for some odd reason you've removed support for macOS 10.11 and our apps depend on that. I realize you use some property / declaration or something that requires 10.12 but that needs to be kindly be back ported. I've raised this as a separate issue (can't recall which one it is) but this needs to be fixed before we begin using the newer versions of MSAL.

[oldalton]

1. You need to ensure that your application is registered in multiple clouds (you can verify that by going to portals of national clouds and confirming your app is properly configured there).

2. There's another issue about this. Let's continue the discussion in that issue.

[stale[bot]]

This issue has been automatically marked as stale because it has not had recent activity. Please provide additional information if requested. Thank you for your contributions.