ArtsAutosBooksBusinessEducationEntertainmentFamilyFashionFoodGamesGenderHealthHolidaysHomeHubPagesPersonal FinancePetsPoliticsReligionSportsTechnologyTravel

Want to integrate outlook with your applications with help of Oauth 2.0?

Updated on August 15, 2016


Most of the APIs now-a-days incorporate oauth 2.0 authentication. It is not as complicated as it may seem at times, provided the right links and documentation are found. Microsoft APIs are extremely helpful and useful, but to access them from a third party application is when its needed, for the entire process of registration and access token retrieval, to be followed; to comply with the oauth authentication in place.

For office365 (2016) APIs the links that would help access these APIs would be of the format{version}/me/

me – represents the logged in user
{version} – v2.0 or v1.0
/… – events (for outlook calendar API)

The first step, as hundreds of websites mentions, is to register the application. To be a little more comprehensive on this point, I would like to mention that it is not required to deploy any kind of code or application into the registration portal. is free if you have access to a Microsoft office account.

The registration process is a way of letting Microsoft know that a particular app is going to access its APIs. It is a good practice to name the app appropriately as it will appear on the screen when the application, that is being developed, navigates to the login page.

Application id is the client id which is needed to be provided in the headers when requests are made for authorisation code and access token.

Clicking on Generate new password will provide with a client secret. New key pairs can be generated as often as needed, but in case the developed application is deployed in a client environment, these details will have to be provided at the very beginning and there would be little chance for frequent changes. Therefore, as client secret will be displayed just one time it is advisable to make a note of it. These are generally valid for two years.

Add platform button lets choose which type of application is going to be developed.

Definitely both can be selected (one at a time).

The most important step while registration is to take extra care when the redirect-uri is added. This is where Microsoft will send the access and refresh token after authentication.
Redirect-uris are very crucial and it is to be made absolutely sure that the links provided are available in the application and requests and responses to those links can be monitored. Multiple uris can be added here as well.

(N.B.- Uris in the format http://localhost:8080 are accepted, however any uri with a different system name appearing in place of localhost will not be accepted.)

OAuth 2.0 is a two-step authentication. The first layer sends an authorisation code, which could be referred to as a part of the key to the second layer which gives the access token.
To get the part of the key it is required to execute a get request for the authorisation code.

The link to which the request is sent to: –

The request header must contain: -

Response-type = code (always code for receiving authorisation code)
Client-id = your client id
Redirect-uri = uri which is available in your application and also registered with Microsoft dev portal for the same client id
Scope = what functions your app will be performing
(eg:- openid offline_access profile

This get request will take the application to the Microsoft login page where in a valid Microsoft user name and password will have to be provided and necessary permissions must be granted. Completion of this step will redirect the application to the redirect uri with an authorisation code.

This authorisation code can be captured from the query string parameters of the request.

The next step is to obtain the access token which can be done by sending a post request to

The post request for access token should contain: -

Grant-type = authorisation-code (captured from last request)
Scope= same as previous request
Redirect-uri=needs to be same as previous url or else this would give an error
Client-id=same client-id
Client-secret=the client secret that had been noted down

Sharing of client-secret is deemed as an offence and hence no website will ever share that detail and hence the registration process becomes even more pivotal.

Java code snippet to form the post request: -

List<NameValuePair> pairs = new ArrayList<NameValuePair> ();
pairs.add (new BasicNameValuePair (“grant_type”,”authorization_code”));
pairs.add (new BasicNameValuePair (“code”, authorisation code));
pairs.add (new BasicNameValuePair (“scope”, scope mentioned in get request for auth code));
pairs.add (new BasicNameValuePair (“redirect_uri”, your redirect uri);
pairs.add (new BasicNameValuePair (“client_id”, your client id);
pairs.add (new BasicNameValuePair (“client_secret”, your client secret));

HttpPost post = new HttpPost(“”);
HttpEntity postParams = new UrlEncodedFormEntity(pairs);


This post request will again redirect the application to the redirect uri mentioned and this time the response content will contain the access token and the refresh token.
The access tokens for different APIs have different expiration time and for Microsoft APIs they are mostly valid for an hour. To avoid the pain of logging in again and again refresh tokens can be used to keep retrieving fresh access tokens. The refresh tokens look similar to the authorisation code and the post request for access token using refresh token are the same except that grant-type is needed to be set to refresh-token and in place of authorisation code the refresh token should be mentioned.

Once the access token is received, the authentication procedure is complete and these tokens can be used to access the endpoint APIs. The tokens can be saved to a file or a variable for the required function.

Requests to different APIs can vary widely, however, it is of utmost importance that the request header contains: -authorization = Bearer your-access-token, to perform the necessary actions.
( eg: post.setHeader(“authorization” ,”Bearer “+access-token);).

Key Points: -

  1. Registration of application.
  2. Get request to authorisation API to receive authorisation code.
  3. Post request to access token API to receive access token and refresh token.
  4. Post or get (depending on requirement) to the endpoint API using the access token received.

If you found this blog useful, Please rate

Cast your vote for Ouath 2.0

let me know if you have any question.

Submit a Comment

No comments yet.


This website uses cookies

As a user in the EEA, your approval is needed on a few things. To provide a better website experience, uses cookies (and other similar technologies) and may collect, process, and share personal data. Please choose which areas of our service you consent to our doing so.

For more information on managing or withdrawing consents and how we handle data, visit our Privacy Policy at:

Show Details
HubPages Device IDThis is used to identify particular browsers or devices when the access the service, and is used for security reasons.
LoginThis is necessary to sign in to the HubPages Service.
Google RecaptchaThis is used to prevent bots and spam. (Privacy Policy)
AkismetThis is used to detect comment spam. (Privacy Policy)
HubPages Google AnalyticsThis is used to provide data on traffic to our website, all personally identifyable data is anonymized. (Privacy Policy)
HubPages Traffic PixelThis is used to collect data on traffic to articles and other pages on our site. Unless you are signed in to a HubPages account, all personally identifiable information is anonymized.
Amazon Web ServicesThis is a cloud services platform that we used to host our service. (Privacy Policy)
CloudflareThis is a cloud CDN service that we use to efficiently deliver files required for our service to operate such as javascript, cascading style sheets, images, and videos. (Privacy Policy)
Google Hosted LibrariesJavascript software libraries such as jQuery are loaded at endpoints on the or domains, for performance and efficiency reasons. (Privacy Policy)
Google Custom SearchThis is feature allows you to search the site. (Privacy Policy)
Google MapsSome articles have Google Maps embedded in them. (Privacy Policy)
Google ChartsThis is used to display charts and graphs on articles and the author center. (Privacy Policy)
Google AdSense Host APIThis service allows you to sign up for or associate a Google AdSense account with HubPages, so that you can earn money from ads on your articles. No data is shared unless you engage with this feature. (Privacy Policy)
Google YouTubeSome articles have YouTube videos embedded in them. (Privacy Policy)
VimeoSome articles have Vimeo videos embedded in them. (Privacy Policy)
PaypalThis is used for a registered author who enrolls in the HubPages Earnings program and requests to be paid via PayPal. No data is shared with Paypal unless you engage with this feature. (Privacy Policy)
Facebook LoginYou can use this to streamline signing up for, or signing in to your Hubpages account. No data is shared with Facebook unless you engage with this feature. (Privacy Policy)
MavenThis supports the Maven widget and search functionality. (Privacy Policy)
Google AdSenseThis is an ad network. (Privacy Policy)
Google DoubleClickGoogle provides ad serving technology and runs an ad network. (Privacy Policy)
Index ExchangeThis is an ad network. (Privacy Policy)
SovrnThis is an ad network. (Privacy Policy)
Facebook AdsThis is an ad network. (Privacy Policy)
Amazon Unified Ad MarketplaceThis is an ad network. (Privacy Policy)
AppNexusThis is an ad network. (Privacy Policy)
OpenxThis is an ad network. (Privacy Policy)
Rubicon ProjectThis is an ad network. (Privacy Policy)
TripleLiftThis is an ad network. (Privacy Policy)
Say MediaWe partner with Say Media to deliver ad campaigns on our sites. (Privacy Policy)
Remarketing PixelsWe may use remarketing pixels from advertising networks such as Google AdWords, Bing Ads, and Facebook in order to advertise the HubPages Service to people that have visited our sites.
Conversion Tracking PixelsWe may use conversion tracking pixels from advertising networks such as Google AdWords, Bing Ads, and Facebook in order to identify when an advertisement has successfully resulted in the desired action, such as signing up for the HubPages Service or publishing an article on the HubPages Service.
Author Google AnalyticsThis is used to provide traffic data and reports to the authors of articles on the HubPages Service. (Privacy Policy)
ComscoreComScore is a media measurement and analytics company providing marketing data and analytics to enterprises, media and advertising agencies, and publishers. Non-consent will result in ComScore only processing obfuscated personal data. (Privacy Policy)
Amazon Tracking PixelSome articles display amazon products as part of the Amazon Affiliate program, this pixel provides traffic statistics for those products (Privacy Policy)