Accessing Skype for Business API (UCWA) : HTTP 403 / Forbidden

Question

I'm trying to connect to & use Skype for Business API (UCWA) following this procedure, using a Node.js test script.

I've registered a test app in Azure AD and checked all permissions concerning Skype for Business Online.

I'm doing this (simplified):

var adal = require('adal-node');
var https = require('https');

var clientId = 'a5cbbd......cc4a1'; // = app ID
var clientSecret = 'IOSDk1......LJ6vE=' // test key from Azure AD

var context = new adal.AuthenticationContext('https://login.windows.net');

// 'Autodiscover' step
// (callRestAPI() makes an HTTPS request using https.request() and returns results as JSON)

callRestAPI('webdir.online.lync.com', 443, '/autodiscover/autodiscoverservice.svc/root', 'GET', null /* no specific headers */, function(err, res) {

  if (err) { console.log(err); return err; }

  // extract discovered domain (I get something like https://webdir1e.online.lync.com)
  let regex = new RegExp('^(https?://[^/]*)', 'g');
  let sfbDiscoveredDomain = regex.exec(response._links.user.href);
  sfbDiscoveredDomain = sfbDiscoveredDomain[1];

  // 'Acquire token' step

  context.acquireTokenWithClientCredentials(sfbDiscoveredDomain, clientId, clientSecret, function(err, res) {

    if (err) { console.log(err); return err; }

    regex = new RegExp('^https?://([^/]*)', 'g');
    let sfbHost = regex.exec(res.resource);
    sfbHost = sfbHost[1]; // here I get something like 'webdir1e.online.lync.com'

    // 'Resending an autodiscovery request with the bearer token' step

    callRestApi(sfbHost, 443, '/autodiscover/autodiscoverservice.svc/root/oauth/user', 'GET', {'Authorization': 'Bearer '+res.accessToken}, function(err, res)    {

      if (err) { console.log(err); return err; }
      console.log(res);

    });
  });
});

The last step (resending an autodiscovery request) always fails with error HTTP 403/Forbidden.

There is an additional interesting response header:

'x-ms-diagnostics': '28070;source="AM41E00EDG01.infra.lync.com";reason="Service does not allow a cross domain request from this origin."'

...but I still don't understand why this error occurs.

I've played with additional headers seen here and there in various code samples (X-Ms-Origin and Host), with no luck.

Answer 1

This issue (Service does not allow a cross domain request from this origin.) is mostly caused by the "Cross-Origin Resource Sharing (CORS)" and that the address which is requesting the access isn´t "whitelisted".

An Skype for Business Administrator can configure that via (more info's here) when the server is on premises (see StackOverflow question here):

$x = New-CsWebOrigin -Url "https://apps.contoso.com"
Set-CsWebServiceConfiguration -Identity "{YOUR_IDENTITY}" -CrossDomainAuthorizationList @{Add=$x}

However as your Skype for Business isn´t on premises (its online) I assume there is nothing you can do as this section is mostly controlled by the cloud admins from Microsoft.

However as UCWA is supported with Skype for Business online I assume there is something wrong on your side. Did you checked if the application is correctly registered as explained here? If yes a fiddler trace might be useful to see what caused that issue.