As part of my 5-day O365 course I have a Workflow section that describes things like deploying workflows via Apps with event receivers that deploy to the Host Web. Also a part of the lab is how to "theoretically" call an O365 API from workflow. Unfortunately, you cannot call O365 APIs from workflows that live on-premises or in O365. The reason is two fold.
- For on-premises, there is a buffer overflow in the Workflow Manager service (1.0, CU1, CU2 and 1.0 refresh) that barfs on large DynamicValue HttpHeaders in the HttpSend request. Reference this post for the error you will see.
- For O365, there is a special STS validation layer that barfs on the Azure AD access token (Error is "JsonWebToken.Issuer != clientId@realm"). If you pass the token in anything but the "Authorization" header it will pass right through, but it will not pass through in the "Authorization" header.
Therefore, the only avenue you have is to use "Basic" auth when making the calls. This means you must store the user's username and password somewhere rather than allowing them to go through the basic OAuth process the way it should be.
If you would like to be able to do this, vote for it on UserVoice here: