ROPC flow has a limitation for federated users

Hi Team,
You recommend to use Azure resource owner password credential (ROPC) as implementation of a token provider, but if you’ll look at microsoft link Microsoft identity platform and OAuth 2.0 Resource Owner Password Credentials | Microsoft Learn :

Microsoft recommends you do not use the ROPC flow. In most scenarios, more secure alternatives are available and recommended. This flow requires a very high degree of trust in the application, and carries risks which are not present in other flows. You should only use this flow when other more secure flows can’t be used.

and

ROPC is not supported in hybrid identity federation scenarios (for example, Azure AD and ADFS used to authenticate on-premises accounts). If users are full-page redirected to an on-premises identity providers, Azure AD is not able to test the username and password against that identity provider. Pass-through authentication is supported with ROPC, however.

The problem is our customer cannot authorize to email server using EWS:

outlook.office365.com. —> System.Net.WebException: The request failed with HTTP status 401: Unauthorized.
at System.Web.Services.Protocols.SoapHttpClientProtocol.ReadResponse(SoapClientMessage message, WebResponse response, Stream responseStream, Boolean asyncCall)
at System.Web.Services.Protocols.SoapHttpClientProtocol.Invoke(String methodName, Object[] parameters)
at #=za1dYN5humbx591Xnfx1Zed_3QZgSIf$Ff3lM4ro19i1GcI74ew==.GetFolder(GetFolderType GetFolder1)
at Aspose.Email.Clients.Exchange.WebService.EWSClient.GetEWSClient(String mailboxUri, ICredentials credentials, WebProxy proxy)
at Aspose.Email.Clients.Exchange.WebService.EWSClient.GetEWSClient(String mailboxUri, String username, String password)

Microsoft’s support commented:

Our recommendation is to validate if the application is able to use other authentication flows, due to the ROPC flow has a limitation for federated users. Any other flow will be fine as far as it can handle the authentication of federated user accounts.

So, could you clarify if there is any way to use other authentication flow, instead of ROPC?

Thank you

@cap.aspose

Aspose.Email does not recommend using ROPC for authentication. We just provide it as the simplest implementation of a token provider. This is very important as It was made to show how a token provider can be implemented. You can implement your own token provider with the MS library according to your requirements.

Hi Team,
Could you clarify if you have successful experience how to implement Provider to work with a hybrid identity environment (Single Sign-On server, SSO) like PingFederate, for example.
Does EWSClient provide such methods (SSO) of authentication?

Thank you

@cap.aspose

We have OAuth2 that you may consider using if that suits your needs. You can try sample project shared in following thread.

Hi,
I don’t have an access to download this project.
image.png (22.2 KB)

Could you share it to this topic?
Thank you.

@cap.aspose

I have shared the response in concerned thread with you for your convenience.

OAuth_Test22.zip (1.1 MB)