Reputation: 13
Access token validation failure. Invalid audience, office 365 Graph API
Sorry I am at a bit of a loss trying to set up the graph API. My end goal is app only access. When I try to auth I get the error 'access token validation fail. Invalid audience.
My code
import requests
tenant = 'widgetsinc'
token_request_url = 'https://login.microsoftonline.com/{}/oauth2/v2.0/token'.format(tenant)
auth_payload = {
'client_id': 'deaf-beef-cafe',
'scope': 'api://deaf-beef-cafe/.default',
'client_secret': 'hunter2',
'grant_type': 'client_credentials'
}
x = requests.post(token_request_url, data=auth_payload)
token = x.json()
print(token)
url = "https://graph.microsoft.com/v1.0/users"
payload={'Authorization':token['access_token']}
x = requests.post(url, headers=payload)
print(x.json())
exit()```
The result of print(token)
{ 'token_type': 'Bearer', 'expires_in': 3599, 'ext_expires_in': 3599, 'access_token': 'REMOVED' }
the result of print(x.json())
{ 'error': { 'code': 'InvalidAuthenticationToken', 'message': 'Access token validation failure. Invalid audience.', 'innerError': { 'date': '2023-01-25T00:38:48', 'request-id': 'removed', 'client-request-id': 'this also removed' } } }```
my permissions for my app in the web ui permissions
Upvotes: 1
Views: 11801
Answers (1)
Reputation: 10520
{ 'error': { 'code': 'InvalidAuthenticationToken', 'message': 'Access token validation failure. Invalid audience.', 'innerError': { 'date':'2023-01-25T00:38:48', 'request-id': 'removed', 'client-request-id': 'this also removed' } } }
The above error occurs when you pass the incorrect scope, or your token has the wrong audience, to call the Microsoft Graph API in your environment. According to MS-Document, to get an access token you need pass https://graph.microsoft.com/.default in scope.
I tried with same code using scope https://graph.microsoft.com/.default with same api permission to get all user got an error:
Api permission:
Code:
import requests
tenant = '<tenant-id>'
token_request_url = 'https://login.microsoftonline.com/{}/oauth2/v2.0/token'.format(tenant)
auth_payload = {
'client_id': '<client-id>',
'scope': 'https://graph.microsoft.com/.default',
'client_secret': '<client secret>',
'grant_type': 'client_credentials'
}
x = requests.post(token_request_url, data=auth_payload)
token = x.json()
print(token)
url = "https://graph.microsoft.com/v1.0/users"
payload={'Authorization':token['access_token']}
x1 = requests.get(url, headers=payload)
token1=x1.json()
print(token1)
Console:
To get all user you need to use User.read.all with application API permisson.
API permission:
Console:
After adding API permission to the application, the code executed successfully with all user.
Reference: List users - Microsoft Graph v1.0 | Microsoft Learn
Upvotes: 2
Related Questions
- Sql Query Get distinct rows based on a column
- Pulling multiple entries based on ROW_NUMBER
- Select only first row of specify distinct results from one column only
- How do I write a query to return specified number of rows with distinct values for a particular column?
- ROW_NUMBER() with DISTINCT
- SQL Server - Row Number based on one col, and distinct values of another col
- Get DISTINCT rows by same name and max number
- SQL Server: Return row numbers while keeping DISTINCT in effect
- Select distinct records from MS SQL database when querying row numbers
- how to limit row number to one unique row in SQL query?