When I trying to retrieve some data from MS Graph I get the following error:
{error: {code: "InvalidAuthenticationToken", message: "Access token validation failure.",…}}
error:{code: "InvalidAuthenticationToken", message: "Access token validation failure.",…}
code:"InvalidAuthenticationToken"
innerError:{request-id: " xxx ", date: "2016-11-28T10:25:52"}
date : "2016-11-28T10:25:52"
request-id: " xxx "
message : "Access token validation failure."
The application is a SharePoint Add-In which should read some user and group information from Office 365.
I use the follwoing code to retrieve the data:
$.ajax({
type: "GET",
url: "https://graph.microsoft.com/v1.0/me/",
headers: {
'Accept': 'application/json',
'Authorization': 'Bearer' + token
}
}).done(function (response) {
console.log(response);
//alert(response);
}).fail(function () {
console.log('Error occurred.');
});
For authenication I use adal.js. After login() I get the id_token. When the request is made the token is passed to the function.
Does anyone has the same issue and could help?
Thanks in advance!
To call the Microsoft Graph REST, we need to provide the access token. The id_token is used by client to verify the sign-in user.
To acquire the deligate access token for the Microsoft Graph REST, we need to make two request. The first request is get the Authorization Code from authorization endpoint. The second request is that exchange the token using the code get from the first request. About the detail request, you can refer the link below:
Microsoft Graph app authentication using Azure AD
Related
I am trying to obtain an authorization token to consume a published API in Azure API Management, for which I am performing the following steps:
Call the authorization URL as follows:
https://login.microsoftonline.com/common/oauth2/authorize?
client_id=<CLIENT_ID>
&response_type=code
&response_mode=query
&redirect_uri=<REDIRECT_URI>
&scope=SCOPE
Immediately after, I call the following URL with the obtained authorization code and other parameters in the body and to send them as form-data:
POST https://login.microsoftonline.com/common/oauth2/token
client_id=<CLIENT_ID>
scope=SCOPE
grant_type=authorization_code
client_secret=<CLIENT_SECRET>
code=<AUTHORIZATION_CODE_PREVIOUS_STEP>
As a result, I get the following error and cannot continue:
{
"error": "invalid_grant",
"error_description": "AADSTS54005: OAuth2 Authorization code was already redeemed, please retry with a new valid code or use an existing refresh token.\r\nTrace ID: f0264d85-2f41-4009-9e8e-1a211209e100\r\nCorrelation ID: c6b15ffb-82e8-49aa-941f-6c85be4d9601\r\nTimestamp: 2022-01-18 15:06:55Z",
"error_codes": [
54005
],
"timestamp": "2022-01-18 15:06:55Z",
"trace_id": "f0264d85-2f41-4009-9e8e-1a211209e100",
"correlation_id": "c6b15ffb-82e8-49aa-941f-6c85be4d9601"
}
I understand that the authorization code is for one use only but, in my case, on the first attempt I get this error.
Any help is appreciated
I am trying to migrate my app from Office 365 REST v2.0 to Microsoft Graph (v1.0). The token exchange seems to be working but as soon as I am trying to call an API, I am getting the following error:
(
[errorNumber] => 401
[error] => Request returned HTTP error 401
[message] => {
"error": {
"code": "InvalidAuthenticationToken",
"message": "Access token validation failure. Invalid audience.",
"innerError": {
"date": "2021-03-16T15:36:21",
"request-id": "dda1e33a-2774-4986-8c45-1487404fbb72",
"client-request-id": "e842d9a8-d71b-0563-f1ce-e58052e5bdb9"
}
}
}
)
The access_token has the following audience:
"aud": "https://outlook.office.com"
Here is the endpoint that I am using:
https://login.microsoftonline.com/common/oauth2/v2.0/token
Payload:
grant_type=authorization_code
&code=0.AR8A3XwQy0FAmkSxxxx
&redirect_uri=https%3A%2F%2Fxxx.com%2Fproxy%2Foffice365authorize
&client_id=e2147faf-87f0-4e7f-xxxx-xxxxxxxxxxx
&client_secret=xxxxxxxxxxxx
Any hint would be greatly appreciated, thanks!
This means your token has the wrong audience, to call the Micrsoft Graph API, you need to get the token for Microsoft Graph i.e. the access token needs the "aud": "https://graph.microsoft.com".
Looks you are using the AAD auth code flow to get the token, so when you request an authorization code, use the scope with https://graph.microsoft.com/.default.
https://login.microsoftonline.com/common/oauth2/authorize?
client_id=xxxxx
&response_type=code
&redirect_uri=xxxxxx
&response_mode=query
&scope=https://graph.microsoft.com/.default
&state=12345
Also use scope=https://graph.microsoft.com/.default when requesting the token.
POST https://login.microsoftonline.com/common/oauth2/v2.0/token
client_id=xxxxxx
&scope=https://graph.microsoft.com/.default
&code=0.AR8A3XwQy0FAmkSxxxx
&redirect_uri=xxxxxx
&grant_type=authorization_code
&client_secret=xxxxx
To call the API successfully, also make sure you have grant correct Delegated Microsoft Graph API permissions for your client app depends on the API you want to call, e.g. if you want to call List users, you need the permissions here.
I'm trying to authenticate to Graph using Postman. I have the following request:
Type: Post
Url: https://login.microsoftonline.com/[MyTenantIdHere]/oauth2/v2.0/token
Body = Raw:
{
client_id: "[MyClientID]",
grant_type: "client_credentials",
scope: "https%3A%2F%2Fgraph.microsoft.com%2F.default",
client_secret: "[MyClientSecret"
}
However, I'm getting this error:
"error_description": "AADSTS900144: The request body must contain the
following parameter: 'grant_type'.
Any idea how to solve this?
Try X-www-form-urlencoded in postman.
API request: https://graph.microsoft.com/beta/users/d90a45d2-0cec-45bc-a0a4-d1be70fc172d/chats
Microsoft Graph error message: UnknownError
Client request ID: 297f7c71-7eef-4d32-990d-f39267a79ffe
Timestamp: 2020-05-27T03:55:01
Response:
{
'error': {
'code': 'UnknownError',
'message': '',
'innerError': {
'request-id': '297f7c71-7eef-4d32-990d-f39267a79ffe',
'date': '2020-05-27T03:55:01'
}
}
}
Postman Request returning 403:
You have to request Microsoft access to Protected APIs. Follow instructions here: Protected API
Note that some chat endpoints are not available in Application Context at all. Only delegated context works with those endpoints.
i have been trying to tackle this issues for a while now, i am workin on an Office-js addin for Outlook and is trying to access Microsoft Graph data through my addin.
But i have been unable to authenticate the token i recieve from getAccessTokenAsync.
If i attempt to use the authenticator from Office-JS-Helpers i can get access, but i would prefer to use the built in function of the addin for it.
the code i am trying to use is this:
Office.initialize = () => {
var options = { forceAddAccount: true, forceConsent: true } as Office.AuthOptions;
Office.context.auth.getAccessTokenAsync(options, getAccessTokenAsyncCallback);
}
function getAccessTokenAsyncCallback(accessTokenResponse) {
console.log(accessTokenResponse.value)
client = MicrosoftGraph.Client.init({
authProvider: (done) => {
done(null, accessTokenResponse.value);
},
debugLogging: false
})
client.api("/me")
.get((err, res, rawResponse) => {
console.log(err)
console.log("rawResponse")
console.log(rawResponse)
})
}
and my WebApplicationInfo in my manifest is:
<WebApplicationInfo>
<Id>{AppUID}</Id>
<Resource>api://localhost:3000/{AppUID}</Resource>
<Scopes>
<Scope>profile</Scope>
<Scope>user.read</Scope>
</Scopes>
</WebApplicationInfo>
</VersionOverrides>
and the rights has been set up in my app on the Application Registration Portal.
as far as i can see when validating/decoding the JSON Web Token i recieve from getAccessTokenAsync, it should be valid.
but whenever i try to connect using this token i get this response:
{
"statusCode": 401,
"code": "InvalidAuthenticationToken",
"message": "Access token validation failure.",
"requestId": "4a0ce952-0e90-XXXXXXXXX-db20c6cca94e",
"date": "2018-08-30T05:37:43.000Z",
"body": {
"code": "InvalidAuthenticationToken",
"message": "Access token validation failure.",
"innerError": {
"request-id": "4a0ce952-0e90-XXXXXXXXX-db20c6cca94e",
"date": "2018-08-30T07:37:43"
}
}
}
i simply can't figure out what the issue is here, am i wrong in that the token returned from getAccessTokenAsync is the one i need for this?
oh yes and i am running up against an Office365 environment with Outlook 2016 version 1807 build 10325.20118 click to run
The token that is returned by getAccessTokenAsync, called the bootstrap token, does NOT give your add-in access to MS Graph directly. Instead it gives the Office host application, Outlook in this case, access to your add-in's web application. Your add-in's web application then uses that token to get an access token to Microsoft Graph. It does this by using the "on behalf of" OAuth flow. Please see the extensive documentation at this node: SSO in Office Add-ins and, for Outlook-specific guidance, also see Authenicate a user in an Outlook Add-in with an SSO token.