Is There a Way to Request an Access Token?

[chodges]

Hello:

I've been reading a ton of the questions/answers and I still can't determine 100% whether I can login my user (by using their email/password) and request an access token that I can use for subsequent requests and sessions.

I don't want to and its not good practice by any stretch to store the users' usernames and passwords in my system.

I've used the Office 365 REST API and have been able to request the access token and use it. I'm just trying to duplicate this with the Exchange API.

If it helps here is the scope of what I'm trying to do: I have a web-app that needs to be read/write things to the users' calendar and so what I would like to allow the user to authenticate using their username/password with my app receiving the access token that can be used for future queries.

Thanks for your help.

[jamesiarmes]

This library doesn't currently support this method of authentication, as it's only available with Exchange Online. I'm would be open to any submitted patches, but I do not have this on my radar at this time.

[chodges]

Okay understood. I guess I'm just trying to figure out how other people do this then? I surely hope they're not storing people's email addresses and passwords or forcing them to login each and every time they open an app.

[Garethp]

Hi @chodges

May I suggest you try my own ews library, garethp/php-ews, which does in fact come with support for fetching an access token and using that as authentication

[chodges]

Hi @Garethp

Thanks yes I know of your library and I took a look at it. I think the problem that I'm facing is I'm attempting to connect to a hosted Exchange server that just does not have the token access method available.

[Garethp]

Hm... Is it the latest exchange version? What version are you running? And is your authentication maybe backed by Azure?

[chodges]

HI @Garethp

I'm not sure which version of exchange it is. I'm building a custom CRM that needs to connect to people's Outlook to add/edit calendar events. So in reality I'm not going to always know which version of Exchange it is that they are running or if its backed by Azure.

I do know that this a third-party Exchange server running on their IT company's infrastructure so its not a direct Microsoft hosted account.

[Garethp]

Then unfortunately it's not possible. OAuth is the only token-based authentication that Exchange Provides, and that's only available when the authentication is backed by Azure Directory Services. Exchange does also provide NTLM Authentication, so that people who are already logged in to their domain account don't have to log in again, but I've been struggling to find a way to make this work in PHP.

Your best option may either be to have the user give their password with each login, or have a master account that has impersonation rights, and store the password for that account in a secure manner

[chodges]

@Garethp I wouldn't have a problem using another technology (e.g. Javascript) to enable the user to log in and then grab the token but I haven't come across a way to do even that. I can always send the token over to the server for safe keeping.

[jamesiarmes]

Created a feature request at jamesiarmes/php-ntlm#2 for this.

[kiranraj5225]

@Garethp & @chodges , I have did some small changes in your ExchangeWebServicesAuth.php's fromUsernameAndPassword function as below. It worked as expected from my locahost but i am yet to check in production server.

replace the existing return statement with below one.

    return array(
        'curl' => array(
            CURLOPT_HTTPAUTH => CURLAUTH_NTLM,
            CURLOPT_UNRESTRICTED_AUTH => true,
            CURLOPT_USERPWD => ":"
        )
    );

I have also changed the Mail API::withUsernameAndPassword parameter as below.

$server = 'xxx.bbb.com'
$username = '';
$password = '';

$api = MailAPI::withUsernameAndPassword($server, $username, $password);

I was able to see the sent mail in my actual display name. I think the empty ":"
parameter for CURLOPT_USERPWD has taken the current user.

Reference Link:
https://stackoverflow.com/questions/23522503/can-i-bypass-the-username-pw-using-curl-with-iis-windows-authentication-in-php

[ablyler]

@Garethp have you considered merging your improvements back into @jamesiarmes's repo? There is another fork that also has OAuth support: https://github.com/barracudanetworks/php-ews. I am trying to figure out if it is worth trying to rebase that repo and create a PR.

[Garethp]

@ablyler I had a PR open at the beginning, but at that point James was busy with other things. In the end our projects grew too far apart to really merge in. We discussed it, but our libraries are trying to solve separate problems and achieve separate goals. At this point my library won't be easily merged in.

I can't really comment on whether or not it would be worth it for you to change what repo you're using