… character (Horizontal Ellipsis) in malformed AAD access token

Question

I'm using MSAL JS to do OAuth against my own AAD app registration. I get an access token back, but when I try to access the GraphAPI directly or exchange it for a GraphAPI access token, I get a variety of different errors, based on whichever API I'm calling:

https://login.microsoftonline.com/.../oauth2/v2.0/token, on_behalf_of flow

JWT token is invalid or malformed

C# MSAL GraphClient.Users... (not supposed to work with the initial access token, but I'm desperate)

InvalidAuthenticationToken Message: Access token is empty.

https://graph.microsoft.com/v1.0/search/query (not supposed to work with the initial access token, but I'm desperate)

Request headers must contain only ASCII characters.

The access token has a "…" symbol somewhere in the middle of it. It's called Unicode Character 'HORIZONTAL ELLIPSIS' (U+2026) and is non ASCII. To my understanding, that should not be part of any access token ever. And it shouldn't be a scope/API permission issue? Why is it there? What am I doing wrong?

Answer 1

I tried to copy & paste the value from one application to another/to Postman. But Visual Studio shortens long strings, adding the three dots character instead, at least in Blazor. I'm not sure about when strings are being shortened, but for WebAPIs the magnifying glass is showing up, letting you get the entire string.

You can work around it using the Immediate Window on Blazor, or debugging in the browser, Chrome doesn't lie.