Reputation: 710
Office365 Rest API 401 "The audience claim value is invalid"
I have a microsoft token that is able to be refreshed successfully, yet when I try to make a basic call that is within one of the scopes authorized, I get a 401. The call is: https://outlook.office365.com/api/v2.0/me and here is the detail back from the server:
https://outlook.office365.com/api/v2.0/me> @request=# @request_headers={"Authorization"=>"Bearer MYTOKENGOESHERE", "Accept"=>"application/json", "User-Agent"=>"Faraday", "client-request-id"=>"221e4530-9075-11e8-abc0-186590cf8dc9", "return-client-request-id"=>"true"} @ssl=# @response=# @response_headers={"server"=>"Microsoft-IIS/10.0", "request-id"=>"7624eddb-b6ab-42ca-beff-c1132f64ded9", "client-request-id"=>"221e4530-9075-11e8-abc0-186590cf8dc9", "x-calculatedbetarget"=>"BY1PR15MB0055.NAMPRD15.PROD.OUTLOOK.COM", "x-backendhttpstatus"=>"401", "x-rum-validated"=>"1", "x-ms-diagnostics"=>"2000003;reason=\"The audience claim value is invalid 'https://graph.microsoft.com'.\";error_category=\"invalid_resource\"", "x-besku"=>"Gen8", "x-diaginfo"=>"BY1PR15MB0055", "x-beserver"=>"BY1PR15MB0055", "x-powered-by"=>"ASP.NET", "x-feserver"=>"BYAPR01CA0019", "www-authenticate"=>"Bearer client_id=\"MYIDGOESHERE\", trusted_issuers=\"00000001-0000-0000-c000-000000000000@*\", token_types=\"app_asserted_user_v1 service_asserted_app_v1\", authorization_uri=\"https://login.windows.net/common/oauth2/authorize\", error=\"invalid_token\",Basic Realm=\"\",Basic Realm=\"\"", "date"=>"Thu, 26 Jul 2018 01:42:26 GMT", "connection"=>"close", "content-length"=>"0"} @status=401>>
I have many users who use this same code pathway just fine right now, but a few users are running into this issue which makes me think it's a configuration issue on their end or something, however the error message doesn't tell us much...Please help
Upvotes: 2
Views: 1741
Answers (1)
Reputation: 710
The internal management of scopes within Microsoft has changed for security reasons. We were using scopes such as Mail.Read which are Microsoft Graph scopes, but we were using them to access outlook.com endpoints. Until last week this was allowed, but now it is no longer allowed.
The fix was to prepend https://outlook.office.com so the new scope would be https://outlook.office.com/Mail.Read and this scope format is allowed on the outlook REST API endpoints. Just be careful not to mix graph and outlook scopes as it appears you cannot get a single token that can work for both of those APIs.
Upvotes: 4
Related Questions
- Access token validation failure. Invalid audience, office 365 Graph API
- Office 365 / EWS Authentication using OAuth: The audience claim value is invalid
- Outlook 365 Rest API - The audience claim value is invalid
- OAuth with Office 365 SOAP returns "The audience claim value is invalid"
- 401 unauthorized outlook.office.com api Azure AD v2 authentication endpoint
- Office365 OAuth API returns error "AADSTS90093: Does not have access to consent"
- Office 365 API unable to access files via REST - Invalid audience Uri
- Office 365 Rest Api Having issues getting access token
- Office365 REST API. Getting a 401 (Unauthorized) using ADAL
- Office 365 Rest api auth