Reputation: 555
InvalidAuthenticationToken error with microsoft graph
Im trying to use the microsoft graph api to determine if a logged in user is a member of the admin group. My app is etup and configured in Azure and uses active directory to control access which works perfectly well.
When a user logs in I can the claimsidentiy object and the users info. But I wanted to use the graph api to obtain a list of groups the logged in user belongs to and subsequently check for the admin group (admin key is held in my config file)
In Azure, my minifest file has this setting "oauth2AllowImplicitFlow": true.
and the app has microsoft graph enabled, with these permisions
sign in users & view users basic profiles
Im then creating an instance of the GraphServiceClient like this
GraphServiceClient graphClient = new GraphServiceClient(new AzureAuthenticationProvider());
and then interrogating the groups like this
Group group = await graphClient.Groups[admin].Request().GetAsync();
Ive created an authetication provider with one method
public class AzureAuthenticationProvider : IAuthenticationProvider
{
public async Task AuthenticateRequestAsync(HttpRequestMessage request)
{
string clientId = Helpers.Settings.ClientId;
string clientSecret = Helpers.Settings.ClientSecret;
AuthenticationContext authContext = new AuthenticationContext(Helpers.Settings.AuthorityCHP);
ClientCredential creds = new ClientCredential(clientId, clientSecret);
AuthenticationResult authResult = await authContext.AcquireTokenAsync(Helpers.Settings.GraphUrl, creds);
request.Headers.Add("Authorization", "Bearer " + authResult.AccessToken);
}
}
the credentials are correct, yet whenever I run the code i get this error
Code: InvalidAuthenticationToken Message: Access token validation failure.
Inner error Description: An unhandled exception occurred during the execution of the current web request. Please review the stack trace for more information about the error and where it originated in the code.
Exception Details: Microsoft.Graph.ServiceException: Code: InvalidAuthenticationToken Message: Access token validation failure.
I am getting a token back, but it isnt being accepted, what am I doing wrong here ?
ok, ive now used the correct url for the graph api, but im geting this error
Code: Authorization_RequestDenied Message: Insufficient privileges to complete the operation.
in my app settings for azure active directory I have 2 api's registered with delegated permissions
Windows Azure Active Directory -Read all users basic profiles -sign in and read user profiles
Microsoft Graph - View users basic profile - View users email address - access users data anytime - read all users basic profiles - read and write access to user profile - sign in and read user profile
Ive hit the 'Grant Permissions' button and got a message telling me permissions have been succesfully granted for my application, but I still get the same error message :-(
Should I be passing in the signed in user id when I create an instance of the authentoicationcontext ?
something like
AuthenticationContext authContext = new AuthenticationContext(Authority, new ADALTokenCache(signedInUserID));
** update 2
Ive now added 'Read all users full profiles' and 'read all groups' as application permissions in the microsoft graph enable access section AND granted permissions. But its still exactly the same, how on earth am I supposed to get this to work ? All I want to so is see which group a logged in user belongs to, this is so dificult, its beyond belief. Can anyone help me ?
*** magically it started to work in both my local dev environment and the app deployed to Azure. However, I also have 2 other app 'instances' in my app service environment, a QA version and a 'Dev' version, If I deploy the same code to both of those environments and try to access the graph API, I get this error again
Code: Authorization_RequestDenied Message: Insufficient privileges to complete the operation.
im stumped, its nonsenseical, shouldnt the privaledges be exactly the same for all my apps in that app service environment ? Id really appreciate any advice here this has got me completely stuck I cant see a way forward
Upvotes: 0
Views: 6033
Answers (1)
Reputation: 58873
If you are calling Microsoft Graph API (https://graph.microsoft.com), the resource URI must be https://graph.microsoft.com:
await authContext.AcquireTokenAsync("https://graph.microsoft.com", creds);
https://graph.windows.net is for Azure AD Graph API, which is a different API.
Upvotes: 3
Related Questions
- Access Token missing or malformed when calling Graph API
- MS Graph api user authentication failing
- Microsoft Graph API: Getting error "Authorization_IdentityNotFound"
- Accessing MS Graph API with directly obtained token issue
- InvalidAuthenticationToken - CompactToken parsing failed with error code: -2147184105
- Microsoft.Graph.ServiceException' Code: BadRequest Message: Current authenticated context is not valid for this request
- Fail to authenticate user based on access token - MS Graph API C#
- Microsoft Graph Api token invalid or not authorized?
- Access token validation error MS Graph using UserCredentials
- Access token issue while accessing the graph API