Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

403 Error | App Delegate Access for Personal Outlook Account #1324

Closed
mattyoungberg opened this issue Jul 21, 2024 · 5 comments
Closed

403 Error | App Delegate Access for Personal Outlook Account #1324

mattyoungberg opened this issue Jul 21, 2024 · 5 comments

Comments

@mattyoungberg
Copy link

When trying to use exchangelib for my own personal Outlook inbox (domain @outlook.com), I hit a 403 Forbidden error.

I've tried multiple flavors of the script below, but this is the MCVE:

from exchangelib import DELEGATE, Account, O365InteractiveConfiguration
from exchangelib.credentials import O365InteractiveCredentials

CONFIG = {
    "clientId": "my-client-id",
    "authority": "https://login.microsoftonline.com/consumers",
    "username": "my-personal-email@outlook.com"
}


def main():

    O365InteractiveCredentials.AUTHORITY = CONFIG["authority"]

    a = Account(
        primary_smtp_address=CONFIG["username"],
        config=O365InteractiveConfiguration(
            client_id=CONFIG["clientId"], username=CONFIG["username"]
        ),
        access_type=DELEGATE,
        autodiscover=False,
    )

    print(a.root.tree())


if __name__ == "__main__":
    main()

The short of it is that, in attempting to parse a response from the server, it gets a 403 with an empty body:

exchangelib.errors.MalformedResponseError: Unknown failure in response. Code: 403 headers: {'Cache-Control': 'private', 'Transfer-Encoding': 'chunked', 'Server': 'Microsoft-HTTPAPI/2.0', 'X-BEServer': 'MW4PR20MB5591', 'X-NanoProxy': '1', 'X-AspNet-Version': '4.0.30319', 'Request-Id': 'd6724590-541e-cb68-371a-594a34c7ca13', 'X-CalculatedBETarget': 'MW4PR20MB5591.namprd20.prod.outlook.com', 'X-BeSku': 'WCS7', 'X-BackEndHttpStatus': '403', 'X-DiagInfo': 'MW4PR20MB5591', 'x-ms-appId': '000000004148D700', 'X-Proxy-BackendServerStatus': '403', 'X-Proxy-RoutingCorrectness': '1', 'X-RUM-NotUpdateQueriedPath': '1', 'X-RUM-NotUpdateQueriedDbCopy': '1', 'X-RUM-Validated': '1', 'X-UserType': 'Consumer', 'X-FEServer': 'MW4PR03CA0054', 'X-FirstHopCafeEFZ': 'EAT', 'Alt-Svc': 'h3=":443";ma=2592000,h3-29=":443";ma=2592000', 'Strict-Transport-Security': 'max-age=31536000; includeSubDomains', 'MS-CV': 'kEVy1h5UaMs3GllKNMfKEw.1', 'Set-Cookie': 'exchangecookie=daace9cb40204a51bd143350a42be3a9; expires=Mon, 21-Jul-2025 00:36:29 GMT; path=/; secure; HttpOnly', 'Date': 'Sun, 21 Jul 2024 00:36:29 GMT'} content:

What I've done on the app side:

  • I registered the application as supporting AzureAD and Personal Microsoft Accounts (Manifest line "signInAudience": "AzureADandPersonalMicrosoftAccount")
  • I've correctly configured it as a desktop app whose redirect URI is http://localhost
  • I've used the manifest declaration to get the EWS.AccessAsUser.All permission. It appears you cannot add it via the UI since they're trying to deprecate it.

When I run the script, the auth flow completes validly. When trying to talk to EWS, however, the library continually gets 403 errors. In this case, it appears that it gets hung up on trying to query the server to figure out its version. I've done bigger scripts where I provide it manually, but I essentially get hung up on the same 403, no matter what request the lib is making.

Why I'm not using the Graph API: Because they don't support contact lists that exist in the Outlook web app. This is apparently functionality that is only accessible through EWS.

Why this may not be working: In an attempt to move everyone off EWS and onto Graph, they've disallowed this kind of access.

I'm hopeful a response to this ticket can either 1) help me get past my 403 error so I can manage my contact lists, or 2) confirm that this kind of access is indeed no longer being allowed.

Thanks in advance!
@ecederstrand
Copy link
Owner

ecederstrand commented Jul 21, 2024
edited
Loading

Thanks for the report!

Which version of exchangelib is this? We've seen MalformedResponse on earlier versions, but that was since fixed.

@mattyoungberg
Copy link
Author

Hey @ecederstrand , thanks for responding. I'm using exchangelib==5.4.2, Python version 3.10.12 on Ubuntu 22.04.4 LTS.

@ecederstrand
Copy link
Owner

I'm certain that O365 have not kicked people off EWS in general. My test account is on O365 and uses OAuth, and that still works.

I'm not very familiar with the OAuth setup in Azure, unfortunately. I would suggest asking for help in a forum dedicated to this topic.

@mattyoungberg
Copy link
Author

That sounds like a good plan; this can be closed.

Do you have one you'd recommend? I haven't otherwise had experience w/ the Azure ecosystem other than this small little app I was trying to write 😂

@ecederstrand
Copy link
Owner

Sorry, I don't have any specific forum recommendations for you.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@ecederstrand @mattyoungberg