Hi Team,
You recommend to use Azure resource owner password credential (ROPC) as implementation of a token provider, but if you’ll look at microsoft link Microsoft identity platform and OAuth 2.0 Resource Owner Password Credentials | Microsoft Learn :
Microsoft recommends you do not use the ROPC flow. In most scenarios, more secure alternatives are available and recommended. This flow requires a very high degree of trust in the application, and carries risks which are not present in other flows. You should only use this flow when other more secure flows can’t be used.
and
ROPC is not supported in hybrid identity federation scenarios (for example, Azure AD and ADFS used to authenticate on-premises accounts). If users are full-page redirected to an on-premises identity providers, Azure AD is not able to test the username and password against that identity provider. Pass-through authentication is supported with ROPC, however.
The problem is our customer cannot authorize to email server using EWS:
outlook.office365.com. —> System.Net.WebException: The request failed with HTTP status 401: Unauthorized.
at System.Web.Services.Protocols.SoapHttpClientProtocol.ReadResponse(SoapClientMessage message, WebResponse response, Stream responseStream, Boolean asyncCall)
at System.Web.Services.Protocols.SoapHttpClientProtocol.Invoke(String methodName, Object[] parameters)
at #=za1dYN5humbx591Xnfx1Zed_3QZgSIf$Ff3lM4ro19i1GcI74ew==.GetFolder(GetFolderType GetFolder1)
at Aspose.Email.Clients.Exchange.WebService.EWSClient.GetEWSClient(String mailboxUri, ICredentials credentials, WebProxy proxy)
at Aspose.Email.Clients.Exchange.WebService.EWSClient.GetEWSClient(String mailboxUri, String username, String password)
Microsoft’s support commented:
Our recommendation is to validate if the application is able to use other authentication flows, due to the ROPC flow has a limitation for federated users. Any other flow will be fine as far as it can handle the authentication of federated user accounts.
So, could you clarify if there is any way to use other authentication flow, instead of ROPC?
Thank you