CODEWITHSUNDEEP
azureoffice365microsoft-graph-api
vaindil
vaindil

Reputation: 7864

MS Graph API: invalid authentication token

I'm trying to use the Microsoft Graph API to query an Outlook/O365 mailbox for messages. I registered my app in the Azure portal and received the necessary information to query the API. The app has the Mail.Read permission. (I don't have access to the Azure portal, I was told it was set up this way.) When I get my token from the OAuth endpoint, however, it doesn't work in any subsequent calls. I'm using Python's requests module for testing right now.

Why is this call failing? It seems like I'm passing all of the correct information but I'm clearly missing something.

I'm getting the token by performing a POST on:

https://login.microsoftonline.com/my.domain/oauth2/token

I pass the necessary parameters:

data = {'grant_type': 'client_credentials', 'client_id': CLIENTID, 'client_secret': SECRET, 'resource': APPURI}

and I get a response like this:

{
    'resource': 'APPURI',
    'expires_in': '3599',
    'ext_expires_in': '3600',
    'access_token': 'TOKENHERE',
    'expires_on': '1466179206',
    'not_before': '1466175306',
    'token_type': 'Bearer'
}

I try to use that token, however, and it doesn't work for anything I call. I'm passing it as a header:

h = {'Authorization': 'Bearer ' + TOKEN}

I'm calling this URL: 

url = 'https://graph.microsoft.com/v1.0/users/[email protected]/messages'

Specifically, I use this:

r = requests.get(url, headers=h)

The response is a 401:

{
    'error': {
        'innerError': {
            'date': '2016-06-17T15:06:30',
            'request-id': '[I assume this should be removed for privacy]'
         },
         'code': 'InvalidAuthenticationToken',
         'message': 'Access token validation failure.'
     }
}

Upvotes: 9

Views: 46258

Answers (5)

Raphael Z
Raphael Z

Reputation: 191

It seems to be the case, that tokens issued from the v1 endpoint aren't valid for atleast some requests with MS Graph API.

Instead try to get the token form the v2 endpoint by calling https://login.microsoftonline.com/{tenant}/oauth2/v2.0/token.

In case you are working with oidc discovery documents, you'll find the one for v2 at https://login.microsoftonline.com/{tenant}/v2.0/.well-known/openid-configuration

Upvotes: 5

Marc LaFleur
Marc LaFleur

Reputation: 33132

Unless you are an using Client Credentials, you cannot access the messages another account's mailbox. Make sure that [email protected] is the same account you are authenticated with and that this address is also the userPrincipalName for the account.

You can also use a simplified URI for requesting your messages and bypassing determining the account's userPrincipalName by using /me. In this case the GET request would be https://graph.microsoft.com/v1.0/me/messages

Upvotes: 1

Yvan Aquino
Yvan Aquino

Reputation: 116

It's worth noting that even if MS's Azure documentation does not specify the need for listing the resource, I could never get to work without listing the resource.

https://learn.microsoft.com/en-us/azure/active-directory/develop/active-directory-v2-protocols-oauth-client-creds.

There is a supplementary document specifiy to two-legged Auth for MS Graph that actually uses the 'resource' in the example.

https://developer.microsoft.com/en-us/graph/docs/authorization/app_only

Happy hunting!

Upvotes: 0

user2641043
user2641043

Reputation: 405

in your login request, the resource parameter should be https://graph.microsoft.com

Upvotes: 19

Xiaomin Wu
Xiaomin Wu

Reputation: 3777

I think you will need to register app from here "https://apps.dev.microsoft.com" instead of from Azure Portal.

Upvotes: 1

Related Questions