1

I am following this guide (https://learn.microsoft.com/en-us/skype-sdk/ucwa/authenticationusingazuread) in order to access Skype for Business. Everything goes fine till the last part but let's do step by step. I am building my .net console application to do this but in order to explain you properly the problem I am having I will show you directly the http calls through Insomnia (software used to make http calls).

Step 1: GET request towards https://webdir.online.lync.com/autodiscover/autodiscoverservice.svc/root I hit 200 and as answer I receive this:

enter image description here

Step 2: I use the user link. So I send an http request to https://webdir1e.online.lync.com/Autodiscover/AutodiscoverService.svc/root/oauth/user and I get a 401 Unauthorized (everything still correct). In the header of the answer it points me to the Identity Provider to ask for authorization (authorization_uri)

enter image description here

Step 3: I use that link to authorize my app, which has its own client_Id (that I hide in the following screenshot). This is how I compose the call:

enter image description here

If I send this http request I get redirected to the page where it asks my personal login and by inserting my credentials I succesfully login and hit 404, where in the answer I receive back my access token.

Step 5: I use the access token towards the same AutodiscoverService link of step 1. This is to register my application. I hit 200 and I receive back the link to access Skype for Business.

enter image description here

Finally (and this is where things go wrong) I send a POST request towards the applications link with the Bearer token, and I receive a 403 Forbidden. I think I am following correctly the guide but I can't figure out why I can access the resource at the last step.

EDIT:

The permissions are granted. I hide the name since it contains the name of my company. But it is the same of the domain of my login.

enter image description here

Tarta
  • 1,729
  • 1
  • 29
  • 63
  • I haven't written a Skype integration before, but one option could be that you need to assign permissions to the app in Azure AD. Maybe there is a delegated permission you could use? – juunas Feb 15 '19 at 06:07
  • @juunas already added all the possible permissions. Unfortunately still nothing – Tarta Feb 15 '19 at 14:53
  • Did you also grant the permissions? ;) – juunas Feb 15 '19 at 14:54
  • 2
    @juunas yes also that is done :( check out the EDIT I have made to the post concerning the permissions – Tarta Feb 15 '19 at 15:24
  • @Tarta Sir.. Please answer my question, https://stackoverflow.com/questions/57170656/skype-for-business-receive-im-not-working-with-the-below-steps .. I am not able to receive im, in skype for business UCWA api. As you have already worked on this, I am not able to receive any IM in UCWA. Please guide me. – curious_one Jul 27 '19 at 07:30
  • @curious_one whish I could help you man. I stopped at the "presence" part cause that's what I needed. Unfortunately I didn't need to go through the messaging part.. I am sorry for not being able to help :/ – Tarta Jul 29 '19 at 12:44
  • 1
    anyways thankyou for this question, its helpful for all the hundreds of people who has faced the same issue as yours, the resource and the matter are very helpful to us people.. as the api is very confusing and not well documented.. – curious_one Jul 29 '19 at 14:33

1 Answers1

1

So the token you generated authorizes you to access resources at https://webdir1e.online.lync.com which you've done to fetch a new set of resources including the "application" resouce which is on a DIFFERENT host: https://webpooldb41e14.infra.lync.com.

You actually have to get another OAuth token now which authorizes you for the application resource and then you can POST to that to generate your session in UCWA.

As a side note... If you've defined your own single-tenant application in Azure that has been granted rights to SkypeForBusinessOnline then I think you should be targeting authorization and authentication endpoints of the form:

https://login.microsoftonline.com/{tenantID}/oauth2/v2.0/authorize https://login.microsoftonline.com/{tenantID}/oauth2/v2.0/token

Also I should add, if you're trying to write a trusted secure client that users in your company will use I would suggest looking up the Resource Owner Password Credentials auth flow. It allows you to directly hit the token endpoint I mentioned above and exchange username/password credentials for an access token. Then you can manage auto-discovery and application creation easily under the hood without getting re-directed back and forth to Azure.

https://learn.microsoft.com/mt-mt/azure/active-directory/develop/v2-oauth-ropc

Jamie
  • 26
  • 2