I'm getting an HTTP 400 on a request for https://graph.microsoft.com/v1.0/sites?search=* but expected response is an HTTP 200 w/ data.
It works successfully in multiple client environments (i.e. 100s of environments), but it doesn't work for one of our clients.
The application does successfully return calls for /groups, /domains, and other endpoints prior to hitting this HTTP 400.
The error is:
Error authenticating with resource
Response from remote side is:
{
"code": "AuthenticationError",
"message": "Error authenticating with resource",
"innerError": {
"request-id": "1d68c066-dba8-487e-b3a8-bd77f517d394",
"date": "2019-06-25T18:50:31"
}
}
I'm not sure the next steps from here. HTTP 400 suggests a malformed request, but I'm guessing this should actually be an HTTP 403 or 401 response instead of a 400?
Not sure how to resolve, please let me know, thanks!
edit: request-id added back in
If you're able to call other resources the same way (i.e. /groups), it would suggest a lack of permissions. Be sure the app or user authenticating has the required permissions:
Delegated (work or school account): Sites.Read.All, Sites.ReadWrite.All
Delegated (personal Microsoft account): Not supported.
Application: Sites.Read.All, Sites.ReadWrite.All
Documentation here
Related
The request https://www.googleapis.com/youtube/v3/members fails with code 403 "Access forbidden. The request may not be properly authorized." even in the Google OAuth 2.0 Playground while all other requests succeed. Does that mean I am missing the approval from YouTube? I have completed the forms to request the approval several weeks ago, but I have yet to get any response from YouTube.
API request with parameters used
https://youtube.googleapis.com/youtube/v3/members?part=snippet
Result
{
"code" : 403,
"errors" : [ {
"domain" : "youtube.common",
"message" : "Access forbidden. The request may not be properly authorized.",
"reason" : "forbidden"
} ],
"message" : "Access forbidden. The request may not be properly authorized."
}
Expected result
Response body with Members List
Is it 100% reproducible?
Yes
Reproducible API explorer link
https://developers.google.com/oauthplayground/
approval
If you check the top of the page for
members.list you will see that this method has been replaced by sponsors.list
So calling Members.list isnt going to work. You ened to call sponsors.list and you need permission from google inorder to call that
authorization
Assuming you have summited the form and requested access to the new sponsors.list method and have been granted access you should know that calling memebers.list wont work. As its been deprecated you need to call sposors.list and it needs to be authorized. I would guess with the same scope as before.
The message is telling you that you have summited the request without being properly authorized to access the data.
Access forbidden. The request may not be properly authorized.
You need an access token sent as an authorization header before you will be able to make that call please check authorization
As this new method isn't documented I would have to guess it would be something like this.
GET https://youtube.googleapis.com/youtube/v3/sponsors?part=snippet?key=[YOUR_API_KEY] HTTP/1.1
Authorization: Bearer [YOUR_ACCESS_TOKEN]
Accept: application/json
If you have been granted access to this method then you might have an email contact at google that you can ask what the actual call is if its not working.
I am trying to use Microsoft Graph API in Power Automate where I make calls out to perform some actions. I have been successful with all Graph calls up to this one where I get a 503 serviceNotAvailable error.
The call I am trying is below
GET https://graph.microsoft.com/v1.0/groups/b40e54ac-5626-xxxx-xxxx-xxxxxxxxxxxx/drive/root:/filepath.docx
If I paste this directly into Graph Explorer on the Graph API site it works fine so I am happy that the call is syntactically correct.
I can't get the call to work through Power Automate. I also have tried this through Postman and am getting the same 503 error.
{
"error": {
"code": "serviceNotAvailable",
"message": "The service is not available. Try the request again after a delay. There may be a Retry-After header.",
"innerError": {
"request-id": "87725851-77fb-xxxx-xxxx-xxxxxxxxxxxx",
"date": "2020-03-01T16:55:43"
}
}
}
Permissions in my app registration are
Directory.AccessAsUser.All
Directory.Read.All
Directory.Read.All
Directory.ReadWrite.All
Directory.ReadWrite.All
Files.Read.All
Files.ReadWrite.All
Group.Create
Group.Read.All
Group.ReadWrite.All
Group.Selected
Sites.FullControl.All
Sites.Manage.All
Sites.Read.All
Sites.ReadWrite.All
TeamsActivity.Read.All
TeamsActivity.Send
TeamsApp.Read.All
TeamsApp.ReadWrite.All
TeamsTab.Create
TeamsTab.Read.All
TeamsTab.ReadWrite.All
User.Read
User.ReadWrite.All
Am pulling my hair out ... and there's barely anything left!
If you remove "Group.Create" permission completely and test, it should work.
Seems it doesn't like "Group.Create" with "Group.ReadWrite.All"
If it works in Graph Explorer, but doesn't in Postman. That typically means that your access token in Postman is not correct.
Have you looked at the Postman collection I put together? It puts on rails fetching the access token based on your application id and secret. https://learn.microsoft.com/en-us/graph/use-postman
With regards to PowerAutomate. How are you entering the application id and secret for the the flow to get the application access token? We do have a tutorial here from start to finish to show the approach we recommend here https://learn.microsoft.com/en-us/graph/tutorials/flow
I am having trouble starting a Microsoft Graph webhook subscription (for a mailbox in particular). When initiating the subscription it appears as though Microsoft accepts all of the parameters I am sending to configure the subscription but fails the total subscription because it is receiving a non 2xx response from the endpoint I have configured.
The reason my endpoint is sending a 401 back to Microsoft is because their POST that includes the subscription validation token is missing the clientState.
I am using the clientState key-value pair to authenticate all the communication between Microsoft and my endpoint. If my endpoint does not see the correct clientState it will return a 401.
Any ideas on what I might be missing or if I should go about this in a different way? In my opinion allowing my endpoint to accept unauthenticated GET/POST's is not an option.
Example request body using POST method including the API key in the header:
{
"changeType": "created",
"clientState": "testClientState",
"resource": "users/<UserName>/messages",
"expirationDateTime": "2017-08-10T10:24:57.0000000Z",
"notificationUrl": "<EndpointURL>"
}
Error Returned from Microsoft:
"error": {
"code": "InvalidRequest",
"message": "Subscription validation request failed. Must respond with 200 OK to this request.",
"innerError": {
"request-id": "adf7fc7b-6b14-4422-8526-c1391be8dd27",
"date": "2017-08-07T16:24:59"
}
}
I understand everything to work as intended until my endpoint is sent the validation token because I receive the validation token but my endpoint rejects it because it is missing the client state.
Endpoint Log Snippet:
queryStringParameters": {
"validationToken": "<ValidationToken sent by Microsoft>"
}
I am basing my API endpoint logic off of some of Microsoft's developer guides. For the subscription creation in particular I am using this guide.
It appears this question was also asked but not answered on GitHub.
I represent Microsoft Graph Web hooks team ...
We verified your request in our MS Graph Service logs and confirmed that it was failed at Subscription validation phase because of HTTP status code='Unauthorized' from your endpoint ... Up to this everything is correct per your observation ...
By design, MS Graph Web hooks do not send the clientState header as part of the Subscription validation request. Please do not expect for this header during the subscription validation.
More information
You would have expected to receive the clientState as part of the validation request header because Office365 graph sends it https://msdn.microsoft.com/en-us/office/office365/api/notify-rest-operations. Office 365 Graph different from MS Graph ...
There are some document improvements observed with this question at https://developer.microsoft.com/en-us/graph/docs/api-reference/v1.0/api/subscription_post_subscriptions ... Example Publisher Notification Payload, which is after successful subscription is mentioned together with the Subscription validation … We fixed those.
I am trying to develop a simple background app to connect to my onedrive account (work) and regularly download some files.
I followed this tutorial https://learn.microsoft.com/en-us/azure/active-directory/develop/active-directory-v2-protocols-oauth-client-creds
I have registered the app here https://apps.dev.microsoft.com/portal/register-app
I have written down the client_id and client_secret
To get an access token I make a POST request to
https://login.microsoftonline.com/common/oauth2/v2.0/token
with the following form encoded data
{
'client_id': 'clientid here',
'client_secret': 'secret is here',
'scope': 'https://graph.microsoft.com/.default',
'grant_type': 'client_credentials',
}
I get back an access_token
{'ext_expires_in': 0,
'token_type': 'Bearer',
'expires_in': 3600,
'access_token': 'eyJ0eXAiOiJKV1QiLCJhbGciO---SHORTENED FOR BREVITY'}
Next I make a GET request (with Bearer header properly set) to https://graph.microsoft.com/v1.0/me
and get this eror response (which I get for any endpoint fwiw)
{
"error": {
"code": "BadRequest",
"message": "Current authenticated context is not valid for this request",
"innerError": {
"request-id": "91059f7d-c798-42a1-b3f7-2487f094486b",
"date": "2017-08-05T12:40:33"
}
}
}
I have these permissions configured in the app setting
Any ideas what might be wrong?
I'll file a bug to improve this awful error message. The problem is that you are making a request using application permissions (client_credentials flow) - where there is no signed-in user context. Your request is to /me, and /me is basically an alias for the signed-in user - and in this case there isn't one!
You should try a call to https://graph.microsoft.com/v1.0/users instead. But, before you do that. In the app registration portal, you've selected delegated permissions, but you are calling with application permissions. You should remove the delegated permissions, and select the appropriate application permissions - to call users, select User.Read.All for example. Then make sure to consent/reconsent your app by going to the /adminconsent endpoint.
Please also read more on permissions and delegated and application permissions here: https://developer.microsoft.com/en-us/graph/docs/concepts/permissions_reference
Hope this helps,
i used https://graph.microsoft.com/v1.0/users/{{Emailid}}/messages to get all the messages in my inbox
In clientCredential flow you are accessing as an with Client secret or with client certificate . So Graph API no linger understands who is me. So you need use https://graph.microsoft.com/v1.0/users/<Your_userId> or https://graph.microsoft.com/v1.0/users/<your_userprincipalname>.
eg.https://graph.microsoft.com/v1.0/users/1sd1353as..
or
eg.https://graph.microsoft.com/v1.0/users/John_doe#contso.com
Reference: https://learn.microsoft.com/en-us/graph/api/user-get?view=graph-rest-1.0&tabs=http
I am using the PHP Google client library. I successfully get a token and refresh token from user/google to use with the API.
As soon as the user revokes the permission for my website in Googles settings on the Google page i get following error:
Error calling GET https://www.googleapis.com/calendar/v3/users/me/calendarList: (401) Invalid Credentials
That is expected behavior since the user revoked my permission.
However, how do I detect that a user revoked that access?
Currently i do the following to see if i have access:
//$token json fetched from database
$gclient->setAccessToken($token);
if ($gclient->getAccessToken())
//i should have access
Well this code unfortunately does not detect the revoked permission. How can i handle that?
Once you have detected that the user has revoked the permission you can ask the user to grant the permission again.
To detect that the grant has been revoked: Provided that you had authorization before,
Making an API call using a revoked access_token will result in a response with status code 401. Like this
{
"error": {
"errors": [
{
"domain": "global",
"reason": "authError",
"message": "Invalid Credentials",
"locationType": "header",
"location": "Authorization"
}
],
"code": 401,
"message": "Invalid Credentials"
}
}
Attempting to refresh a token after the revocation will result in a response with a 400 status code and an invalid_grant message. Just as specified in the RFC 6749, Section 5.2
invalid_grant The provided authorization grant (e.g., authorization
code, resource owner credentials) or refresh token is
invalid, expired, revoked, does not match the redirection
URI used in the authorization request, or was issued to
another client.
Here is an example of such response:
```lang-js
{
"error" : "invalid_grant"
}
```
Google APIs should only return 401 for lack of authorization. Since you had authorization before, receiving a 401 is a reliable indication that the user has revoked access.
Are you looking for a detection mechanism that notifies you of such changes before you make the API call? Today there is not a push notification mechanism from Google that can inform your application of such events. Of course, a pull-based mechanism is not useful -- you can simply make the API call and handle the 401 more efficiently.