stackoom
  简体   繁体   中英

AADSTS5002710: Invalid JWT token: header is malformed

 原文  2021-01-06 16:51:31       azure-active-directory/ jwt/ azure-ad-graph-api/ send-on-behalf-of

Question

I am trying to implement the "On-Behalf-Of" flow between my Client (ReactJS), Express + Node.js server (API), and Microsoft Graph.

So far I have requested an accessToken from microsoft (Client), and have made a request to my API.

I have ran into the error "AADSTS5002710: Invalid JWT token: header is malformed." when I try to make an Axios post request from my API to https://login.microsoftonline.com/tenantID/oauth2/v2.0/token

Full Error:
{ error: 'invalid_request', error_description: 'AADSTS5002710: Invalid JWT token: header is malformed.\r\n' + 'Trace ID: 068a382b-6f83-40f6-b1b1-7134223f4500\r\n' + 'Correlation ID: f46a2c03-84e8-46b3-b9d6-467174befa0b\r\n' + 'Timestamp: 2021-01-06 16:26:40Z', error_codes: [ 5002710 ], timestamp: '2021-01-06 16:26:40Z', trace_id: '068a382b-6f83-40f6-b1b1-7134223f4500', correlation_id: 'f46a2c03-84e8-46b3-b9d6-467174befa0b' }

The body of my request is according to the tutorial "https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-on-behalf-of-flow".

I am constantly getting the error above as the result from microsoft online servers.

I have made the original (Client) request with my own custom scope
api://54ee17f...cfe06/Access.Test

1 answers

solution1
 1 ACCPTED  2021-01-07 07:47:33

I follow the tutorial to use On-Behalf-Of flow in Postman. But it works well.

My steps here:

  1. Add API permission of Web API B to Web API A

在此处输入图像描述

  1. Request Web API A to get access token( assertion of next step) with auth code flow

GET

https://login.microsoftonline.com/{tenant}/oauth2/v2.0/authorize
?scope={like api://1108f6-xxxxxxx-9f622/test} openid
&redirect_uri={redirect_uri of Web API A}
&nonce=123
&client_id={client-id of Web API A}
&response_type=id_token token
  1. Request Web API B to get the access token for Microsoft Graph API

POST

https://login.microsoftonline.com/{tenant}/oauth2/v2.0/token
grant_type=urn:ietf:params:oauth:grant-type:jwt-bearer
&client_id={client_id of Web API B}
&client_secret={client_secret}
&assertion={access token from previous step}
&scope=https://graph.microsoft.com/user.read offline_access
&requested_token_use=on_behalf_of
  1. Call Microsoft Graph API, like GET https://graph.microsoft.com/v1.0/users .

You could decode your access token(assertion) in https://jwt.io/ , and check the HEADER .

在此处输入图像描述

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question JWT token. Error “AADSTS700027: Client assertion contains an invalid signature” "AADSTS9002313: Invalid request. Request is malformed or invalid JWT valid according to JWT.io but invalid or malformed for Graph API OpenIdConnectAuthenticationOptions and AcquireTokenByAuthorizationCodeAsync: Invalid JWT token On behalf of token issue (AADSTS50013: Assertion contains an invalid signature) AzureAD JWT Token Audience claim prefix makes JWT Token invalid JWT Bearer Token: "The audience 'api://...' is invalid" Office365: Refreshing access token results with "AADSTS9002313" invalid_grant execption AZURE AD ADAL “error”:“invalid_grant”,“error_description”:"AADSTS70000: Transmission data parser failure: Authorization Code is malformed or invalid Error "invalid_grant" AADSTS65001 when trying to exchange access token
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM