CODEWITHSUNDEEP
microsoft-graph-api
Redman
Redman

Reputation: 662

Microsoft Graph API access token validation failure

I use this URL to get id_token:

https://login.microsoftonline.com/common/oauth2/authorize?
response_type=id_token%20code&
client_id=MY_CLIENT_GUID_ID_IN_HERE&
redirect_uri=http%3A%2F%2Flocalhost%3A3000%2Fauth%2Fopenid%2Freturn&nonce=alfaYYCTxBK8oypM&
state=6DnAi0%2FICAWaH14e

and this return result like this

http://localhost:3000/auth/openid/return?
code=AAA_code_in_here&
id_token=eyJ0eXAi_xxxx_yyyy_in_here&
state=6DnAi0%2FICAWaH14e&
session_state=xxxx_guid_xxxxx

and then i use the id_token to query Graph (use POST man) Graph API to query groups

i have see this post InvalidAuthenticationToken and CompactToken issues - Microsoft Graph using PHP Curl but make no sense.

Upvotes: 5

Views: 16385

Answers (5)

Ogglas
Ogglas

Reputation: 70008

An updated answer to get access with new applications:

  1. Register your app in the app registration portal.

  2. Authorization request example:

https://login.microsoftonline.com/{tenant}/oauth2/v2.0/authorize?client_id=6731de76-14a6-49ae-97bc-6eba6914391e&response_type=code&redirect_uri=http%3A%2F%2Flocalhost%2Fmyapp%2F&response_mode=query&scope=offline_access%20user.read%20mail.read&state=12345

Authorization response will look like this:

https://localhost/myapp/?code=M0ab92efe-b6fd-df08-87dc-2c6500a7f84d&state=12345

  1. Get a token

    POST /{tenant}/oauth2/v2.0/token HTTP/1.1

    Host: https://login.microsoftonline.com

    Content-Type: application/x-www-form-urlencoded

    client_id=6731de76-14a6-49ae-97bc-6eba6914391e

    &scope=user.read%20mail.read

    &code=OAAABAAAAiL9Kn2Z27UubvWFPbm0gLWQJVzCTE9UkP3pSx1aXxUjq3n8b2JRLk4OxVXr...

    &redirect_uri=http%3A%2F%2Flocalhost%2Fmyapp%2F

    &grant_type=authorization_code

    &client_secret=JqQX2PNo9bpM0uEihUPzyrh // NOTE: Only required for web apps

  2. Use the access token to call Microsoft Graph

    GET https://graph.microsoft.com/v1.0/me

    Authorization: Bearer eyJ0eXAiO ... 0X2tnSQLEANnSPHY0gKcgw

    Host: graph.microsoft.com

Source:

https://learn.microsoft.com/en-us/graph/auth-v2-user?context=graph/api/1.0

You can also get an access token without a user, see here:

https://learn.microsoft.com/en-us/graph/auth-v2-service

Upvotes: 0

Bug Hunter Zoro
Bug Hunter Zoro

Reputation: 1915

I had this issue today when I was playing with graph API, the problem in my case was how I was generating the token.

I used postman for generating the token wherein the Auth URL section I was adding the resource = client_id whereas it should be the graph URL. After making that change I was able to make the call via postman.

GraphApi

In order for the above to work, please make sure your application in Azure has delegated permissions to access the Graph API.

Upvotes: 2

Orhun Alp Oral
Orhun Alp Oral

Reputation: 754

To receive the access token and use it for profile requests, you don't need anything from server-side, you can implement the oAuth2 just from the client side.

Use the following URL for login:

https://login.microsoftonline.com/common/oauth2/authorize?client_id=YOUR_CLIENT_ID&resource=https://graph.microsoft.com&response_type=token&redirect_uri=YOUR_REDIRECT_URI&scope=User.ReadBasic.All

After successful login, user will redirected to the page with access_token parameter. Then use the following AJAX call to fetch user info:

var token = login_window.location.href.split('access_token=').pop().split('&')[0];
$.ajax({
    url: "https://graph.microsoft.com/v1.0/me",
    type: "GET",
    beforeSend: function(xhr){xhr.setRequestHeader('Authorization', 'Bearer '+token);},
    success: function(data) {
      alert('Hi '+data.displayName);
      console.log(data);
    }
});

Note that you may need to enable oauth2AllowImplicitFlow:true setting from your Azure Active Directory application manifest file.

Set "oauth2AllowImplicitFlow": false to "oauth2AllowImplicitFlow": true.

Lastly, ensure that your app has required permissions for Microsoft Graph which are sign in users and View users' basic profile

Upvotes: 1

tatigo
tatigo

Reputation: 2264

You can't use the token directly, there is one more step to exchange the code you get from the response url into token.

Here is my C# code (using Microsoft.IdentityModel.Clients.ActiveDirectory)

      public static AuthenticationResult ExchangeCodeForToken(string InTenantName, string InUserObjId, string InRedirectUri, string InApplicationAzureClientID, string InApplicationAzureClientAppKey)
      {
                Check.Require(!string.IsNullOrEmpty(InTenantName), "InTenantName must be provided");
                Check.Require(!string.IsNullOrEmpty(InUserObjId), "InUserObjId must be provided");

                if (CanCompleteSignIn) //redirect from sign-in
                {
                    var clientCredential = new ClientCredential(InApplicationAzureClientID, InApplicationAzureClientAppKey);
                    var authContext = new AuthenticationContext(Globals.GetLoginAuthority(InTenantName), (TokenCache)new ADALTokenCache(InUserObjId)); //Login Authority is https://login.microsoftonline.com/TenantName
                    return authContext.AcquireTokenByAuthorizationCode(VerificationCode, new Uri(InRedirectUri), clientCredential, Globals.AZURE_GRAPH_API_RESOURCE_ID); //RESOURCE_ID is "https://graph.microsoft.com/"
                }

                return null; 
       }

Upvotes: 2

Marc LaFleur
Marc LaFleur

Reputation: 33094

OATH 2.0 requires multiple steps. The first request returns an OAUTH Code. The next step is converting that OATUH code into a Bearer Token. This is the step you are missing here.

I would also recommend using the v2 Endpoint which is a lot easier to work with (particularly with Graph). I wrote a v2 Endpoint Primer that walks through the process and may be helpful as well.

Upvotes: 4

Related Questions