API request: https://graph.microsoft.com/beta/users/d90a45d2-0cec-45bc-a0a4-d1be70fc172d/chats
Microsoft Graph error message: UnknownError
Client request ID: 297f7c71-7eef-4d32-990d-f39267a79ffe
Timestamp: 2020-05-27T03:55:01
Response:
{
'error': {
'code': 'UnknownError',
'message': '',
'innerError': {
'request-id': '297f7c71-7eef-4d32-990d-f39267a79ffe',
'date': '2020-05-27T03:55:01'
}
}
}
Postman Request returning 403:
You have to request Microsoft access to Protected APIs. Follow instructions here: Protected API
Note that some chat endpoints are not available in Application Context at all. Only delegated context works with those endpoints.
Related
I am trying to migrate my app from Office 365 REST v2.0 to Microsoft Graph (v1.0). The token exchange seems to be working but as soon as I am trying to call an API, I am getting the following error:
(
[errorNumber] => 401
[error] => Request returned HTTP error 401
[message] => {
"error": {
"code": "InvalidAuthenticationToken",
"message": "Access token validation failure. Invalid audience.",
"innerError": {
"date": "2021-03-16T15:36:21",
"request-id": "dda1e33a-2774-4986-8c45-1487404fbb72",
"client-request-id": "e842d9a8-d71b-0563-f1ce-e58052e5bdb9"
}
}
}
)
The access_token has the following audience:
"aud": "https://outlook.office.com"
Here is the endpoint that I am using:
https://login.microsoftonline.com/common/oauth2/v2.0/token
Payload:
grant_type=authorization_code
&code=0.AR8A3XwQy0FAmkSxxxx
&redirect_uri=https%3A%2F%2Fxxx.com%2Fproxy%2Foffice365authorize
&client_id=e2147faf-87f0-4e7f-xxxx-xxxxxxxxxxx
&client_secret=xxxxxxxxxxxx
Any hint would be greatly appreciated, thanks!
This means your token has the wrong audience, to call the Micrsoft Graph API, you need to get the token for Microsoft Graph i.e. the access token needs the "aud": "https://graph.microsoft.com".
Looks you are using the AAD auth code flow to get the token, so when you request an authorization code, use the scope with https://graph.microsoft.com/.default.
https://login.microsoftonline.com/common/oauth2/authorize?
client_id=xxxxx
&response_type=code
&redirect_uri=xxxxxx
&response_mode=query
&scope=https://graph.microsoft.com/.default
&state=12345
Also use scope=https://graph.microsoft.com/.default when requesting the token.
POST https://login.microsoftonline.com/common/oauth2/v2.0/token
client_id=xxxxxx
&scope=https://graph.microsoft.com/.default
&code=0.AR8A3XwQy0FAmkSxxxx
&redirect_uri=xxxxxx
&grant_type=authorization_code
&client_secret=xxxxx
To call the API successfully, also make sure you have grant correct Delegated Microsoft Graph API permissions for your client app depends on the API you want to call, e.g. if you want to call List users, you need the permissions here.
The teams list channel Graph API has started throw Unauthorized error as below. It use to work fine until yesterday. We are using "ServicePrincipal" for authentication and it has all necessary graph permission. In this case - Group.Read.All
Sample endpoint we are using is as below.
https://graph.microsoft.com/v1.0/teams/dccde580-0fc5-11eb-adc1-0242ac120002/channels.
Since this morning, it is failing continuously with the below error. More over, this is not a beta API.
As per our analysis, it is failing for those teams which has a private channel it. But as per documentation, private channels should be returned in the response as well. I dont understand what could be the issue.
Any idea / hints /help in this regard is really appreciated.
{
"error": {
"code": "Unauthorized",
"message": "Failed to execute Aad backend request GetUsersByObjectIdsRequest. Workload Unknown. Request Url: https://graph.windows.net/myorganization/getObjectsByObjectIds?api-version=1.61-internal, Request Method: POST, Response Status Code: Unauthorized, Response Headers: ocp-aad-diagnostics-server-name: 0yK5pQbb6mmQTig21hH07WmGI0k2nuTime8Zw4wMO7k=\r\nrequest-id: c33c655e-27f7-4f96-aabf-70e6d9d8770d\r\nclient-request-id: 5bd775a7-7dba-4ad7-bc9a-fbd91ae46fea\r\nStrict-Transport-Security: max-age=31536000; includeSubDomains\r\nDate: Fri, 16 Oct 2020 15:23:45 GMT\r\n, Reason Phrase: Unauthorized",
"innerError": {
"date": "2020-10-16T15:23:45",
"request-id": "3f3793b8-02d6-4653-a14f-3e455660e3d8",
"client-request-id": "3f3793b8-02d6-4653-a14f-3e455660e3d8"
}
}
}
We are facing the same issue, and the error exist in some of our test tenants and it will thrown by microsoft when we using the application permission to make the request.
The requests with the delegate permission token work without any issue.
Microsoft adds some Permissons.
https://learn.microsoft.com/de-de/graph/api/channel-list?view=graph-rest-beta&tabs=http
Do you have the application permissons?
Do you use the beta endpoint?
Look at this: https://learn.microsoft.com/de-de/microsoftteams/platform/graph-api/rsc/resource-specific-consent
i have been trying to tackle this issues for a while now, i am workin on an Office-js addin for Outlook and is trying to access Microsoft Graph data through my addin.
But i have been unable to authenticate the token i recieve from getAccessTokenAsync.
If i attempt to use the authenticator from Office-JS-Helpers i can get access, but i would prefer to use the built in function of the addin for it.
the code i am trying to use is this:
Office.initialize = () => {
var options = { forceAddAccount: true, forceConsent: true } as Office.AuthOptions;
Office.context.auth.getAccessTokenAsync(options, getAccessTokenAsyncCallback);
}
function getAccessTokenAsyncCallback(accessTokenResponse) {
console.log(accessTokenResponse.value)
client = MicrosoftGraph.Client.init({
authProvider: (done) => {
done(null, accessTokenResponse.value);
},
debugLogging: false
})
client.api("/me")
.get((err, res, rawResponse) => {
console.log(err)
console.log("rawResponse")
console.log(rawResponse)
})
}
and my WebApplicationInfo in my manifest is:
<WebApplicationInfo>
<Id>{AppUID}</Id>
<Resource>api://localhost:3000/{AppUID}</Resource>
<Scopes>
<Scope>profile</Scope>
<Scope>user.read</Scope>
</Scopes>
</WebApplicationInfo>
</VersionOverrides>
and the rights has been set up in my app on the Application Registration Portal.
as far as i can see when validating/decoding the JSON Web Token i recieve from getAccessTokenAsync, it should be valid.
but whenever i try to connect using this token i get this response:
{
"statusCode": 401,
"code": "InvalidAuthenticationToken",
"message": "Access token validation failure.",
"requestId": "4a0ce952-0e90-XXXXXXXXX-db20c6cca94e",
"date": "2018-08-30T05:37:43.000Z",
"body": {
"code": "InvalidAuthenticationToken",
"message": "Access token validation failure.",
"innerError": {
"request-id": "4a0ce952-0e90-XXXXXXXXX-db20c6cca94e",
"date": "2018-08-30T07:37:43"
}
}
}
i simply can't figure out what the issue is here, am i wrong in that the token returned from getAccessTokenAsync is the one i need for this?
oh yes and i am running up against an Office365 environment with Outlook 2016 version 1807 build 10325.20118 click to run
The token that is returned by getAccessTokenAsync, called the bootstrap token, does NOT give your add-in access to MS Graph directly. Instead it gives the Office host application, Outlook in this case, access to your add-in's web application. Your add-in's web application then uses that token to get an access token to Microsoft Graph. It does this by using the "on behalf of" OAuth flow. Please see the extensive documentation at this node: SSO in Office Add-ins and, for Outlook-specific guidance, also see Authenicate a user in an Outlook Add-in with an SSO token.
I am using the Code flow ... with scope of "onedrive.readonly onedrive.appfolder"
I get the code, then the token, and when I try to get the information about the user:
https://graph.microsoft.com/v1.0/me
In java I set the following headers to the request:
uc.setRequestProperty("Content-Type", "application/json");
uc.setRequestProperty("Authorization", String.format("Bearer %s", mSessionInfo.BearerToken));
I get the error:
{ "error": {
"code": "InvalidAuthenticationToken",
"message": "CompactToken parsing failed with error code: 8004920A",
"innerError": {
"request-id": "b8959569-efd0-4575-947e-c8835f8fef93",
"date": "2018-08-29T15:46:53"
} } }
What does this error mean ? How to proceed ?
The response actually indicates that the access token was not successfully generated or passed to the graph endpoint. Microsoft Graph couldn't parse it as a JWT token and thus attempted to process it as a Microsoft Account/Live Id compact token, which also failed. Please check the response that you got from the call to login.microsoftonline.com and that the token passed to graph.microsoft.com is a valid JWT token.
When I trying to retrieve some data from MS Graph I get the following error:
{error: {code: "InvalidAuthenticationToken", message: "Access token validation failure.",…}}
error:{code: "InvalidAuthenticationToken", message: "Access token validation failure.",…}
code:"InvalidAuthenticationToken"
innerError:{request-id: " xxx ", date: "2016-11-28T10:25:52"}
date : "2016-11-28T10:25:52"
request-id: " xxx "
message : "Access token validation failure."
The application is a SharePoint Add-In which should read some user and group information from Office 365.
I use the follwoing code to retrieve the data:
$.ajax({
type: "GET",
url: "https://graph.microsoft.com/v1.0/me/",
headers: {
'Accept': 'application/json',
'Authorization': 'Bearer' + token
}
}).done(function (response) {
console.log(response);
//alert(response);
}).fail(function () {
console.log('Error occurred.');
});
For authenication I use adal.js. After login() I get the id_token. When the request is made the token is passed to the function.
Does anyone has the same issue and could help?
Thanks in advance!
To call the Microsoft Graph REST, we need to provide the access token. The id_token is used by client to verify the sign-in user.
To acquire the deligate access token for the Microsoft Graph REST, we need to make two request. The first request is get the Authorization Code from authorization endpoint. The second request is that exchange the token using the code get from the first request. About the detail request, you can refer the link below:
Microsoft Graph app authentication using Azure AD