OAuth 2.0 Access Token Generation
search cancel

OAuth 2.0 Access Token Generation

book

Article ID: 273265

calendar_today

Updated On:

Products

CA Service Desk Manager CA Service Management - Service Desk Manager

Issue/Introduction

Information on how access token generation works for OAuth 2.0

Environment

CA Service Desk Manager 17.3 and 17.4

Resolution

1.  If you login as a normal mailbox user after clicking on Generate Access Token, the Need Admin Approval window is shown (this is to be expected).

This can happen if you customer explicitly type in normal mailbox User details in the window that was opened after clicking the Generate Access Token or the normal Mailbox User was already logged into the browser earlier and cookies exist and so the browser could have logged in automatically.

It is advised to generate an access token on an Incognito browser window, so that there are no cookies available.

1.  Via an Incognito web browser window, log into the CA SDM UI 

2.  Navigate to the Mailbox Page and then to the OAuth details page

3.  Click on Generate the Access Token, which opens a Microsoft login popup page.

4.  Login as an Azure Administrator to provide Admin Consent.  Once consent is provided by Administrator, the page redirects to open up a new Microsoft login page.  Now login as a normal Mailbox User and the access token gets generated.

normal mailbox user = User Name provided in Mailbox detail page
 
There are two scenarios when an access token gets expired and is not auto generated.

1. Access Token expires after 1 hour (short expiry time provided by Microsoft)

  • the access token was generated without the scope of offline_access
  • Provide scope as offline_access (https://outlook.office.com/IMAP.AccessAsUser.All) and regenerate the access token so that the next time the access token expires, it regenerates successfully
    second certificate required is not present in certificate path and hence the access token did not get regenerated

2. Access Token expires after 90 days of generation.

  • Prior to CA SDM 17.3 RU19, customers need to generate the access token manually from the mailbox page
  • From CA SDM 17.3 RU19 onwards, the access token gets regenerated automatically