Microsoft Graph API access token validation failure

Question

I use this URL to get id_token:

https://login.microsoftonline.com/common/oauth2/authorize?
response_type=id_token%20code&
client_id=MY_CLIENT_GUID_ID_IN_HERE&
redirect_uri=http%3A%2F%2Flocalhost%3A3000%2Fauth%2Fopenid%2Freturn&nonce=alfaYYCTxBK8oypM&
state=6DnAi0%2FICAWaH14e

and this return result like this

http://localhost:3000/auth/openid/return?
code=AAA_code_in_here&
id_token=eyJ0eXAi_xxxx_yyyy_in_here&
state=6DnAi0%2FICAWaH14e&
session_state=xxxx_guid_xxxxx

and then i use the id_token to query Graph (use POST man)

i have see this post InvalidAuthenticationToken and CompactToken issues - Microsoft Graph using PHP Curl but make no sense.

Answer 1

OATH 2.0 requires multiple steps. The first request returns an OAUTH Code. The next step is converting that OATUH code into a Bearer Token. This is the step you are missing here.

I would also recommend using the v2 Endpoint which is a lot easier to work with (particularly with Graph). I wrote a v2 Endpoint Primer that walks through the process and may be helpful as well.

Answer 2

You can't use the token directly, there is one more step to exchange the code you get from the response url into token.

Here is my C# code (using Microsoft.IdentityModel.Clients.ActiveDirectory)

      public static AuthenticationResult ExchangeCodeForToken(string InTenantName, string InUserObjId, string InRedirectUri, string InApplicationAzureClientID, string InApplicationAzureClientAppKey)
      {
                Check.Require(!string.IsNullOrEmpty(InTenantName), "InTenantName must be provided");
                Check.Require(!string.IsNullOrEmpty(InUserObjId), "InUserObjId must be provided");

                if (CanCompleteSignIn) //redirect from sign-in
                {
                    var clientCredential = new ClientCredential(InApplicationAzureClientID, InApplicationAzureClientAppKey);
                    var authContext = new AuthenticationContext(Globals.GetLoginAuthority(InTenantName), (TokenCache)new ADALTokenCache(InUserObjId)); //Login Authority is https://login.microsoftonline.com/TenantName
                    return authContext.AcquireTokenByAuthorizationCode(VerificationCode, new Uri(InRedirectUri), clientCredential, Globals.AZURE_GRAPH_API_RESOURCE_ID); //RESOURCE_ID is "https://graph.microsoft.com/"
                }

                return null; 
       }

Answer 3

I had this issue today when I was playing with graph API, the problem in my case was how I was generating the token.

I used postman for generating the token wherein the Auth URL section I was adding the resource = client_id whereas it should be the graph URL. After making that change I was able to make the call via postman.

In order for the above to work, please make sure your application in Azure has delegated permissions to access the Graph API.

Answer 4

To receive the access token and use it for profile requests, you don't need anything from server-side, you can implement the oAuth2 just from the client side.

Use the following URL for login:

https://login.microsoftonline.com/common/oauth2/authorize?client_id=YOUR_CLIENT_ID&resource=https://graph.microsoft.com&response_type=token&redirect_uri=YOUR_REDIRECT_URI&scope=User.ReadBasic.All

After successful login, user will redirected to the page with access_token parameter. Then use the following AJAX call to fetch user info:

 var token = login_window.location.href.split('access_token=').pop().split('&')[0]; $.ajax({ url: "https://graph.microsoft.com/v1.0/me", type: "GET", beforeSend: function(xhr){xhr.setRequestHeader('Authorization', 'Bearer '+token);}, success: function(data) { alert('Hi '+data.displayName); console.log(data); } });

Note that you may need to enable oauth2AllowImplicitFlow:true setting from your Azure Active Directory application manifest file.

Set "oauth2AllowImplicitFlow": false to "oauth2AllowImplicitFlow": true.

Lastly, ensure that your app has required permissions for Microsoft Graph which are sign in users and View users' basic profile

Answer 5

An updated answer to get access with new applications:

1. Register your app in the app registration portal .

2. Authorization request example:

https://login.microsoftonline.com/{tenant}/oauth2/v2.0/authorize?client_id=6731de76-14a6-49ae-97bc-6eba6914391e&response_type=code&redirect_uri=http%3A%2F%2Flocalhost%2Fmyapp%2F&response_mode=query&scope=offline_access%20user.read%20mail.read&state=12345

Authorization response will look like this:

https://localhost/myapp/?code=M0ab92efe-b6fd-df08-87dc-2c6500a7f84d&state=12345

3. Get a token

   POST /{tenant}/oauth2/v2.0/token HTTP/1.1

   Host: https://login.microsoftonline.com

   Content-Type: application/x-www-form-urlencoded

   client_id=6731de76-14a6-49ae-97bc-6eba6914391e

   &scope=user.read%20mail.read

   &code=OAAABAAAAiL9Kn2Z27UubvWFPbm0gLWQJVzCTE9UkP3pSx1aXxUjq3n8b2JRLk4OxVXr...

   &redirect_uri=http%3A%2F%2Flocalhost%2Fmyapp%2F

   &grant_type=authorization_code

   &client_secret=JqQX2PNo9bpM0uEihUPzyrh // NOTE: Only required for web apps

4. Use the access token to call Microsoft Graph

   GET https://graph.microsoft.com/v1.0/me

   Authorization: Bearer eyJ0eXAiO ... 0X2tnSQLEANnSPHY0gKcgw

   Host: graph.microsoft.com

Source:

https://docs.microsoft.com/en-us/graph/auth-v2-user?context=graph/api/1.0

You can also get an access token without a user, see here:

https://docs.microsoft.com/en-us/graph/auth-v2-service