none
Office365 Rest API 401 “The audience claim value is invalid” RRS feed

  • Question

  • I have a microsoft token that is able to be refreshed successfully, yet when I try to make a basic call that is within one of the scopes authorized, I get a 401. The call is: outlook.office365.com/api/v2.0/me and here is the detail back from the server:

    https://outlook.office365.com/api/v2.0/me> @request=# @request_headers={"Authorization"=>"Bearer MYTOKENGOESHERE", "Accept"=>"application/json", "User-Agent"=>"Faraday", "client-request-id"=>"221e4530-9075-11e8-abc0-186590cf8dc9", "return-client-request-id"=>"true"} @ssl=# @response=# @response_headers={"server"=>"Microsoft-IIS/10.0", "request-id"=>"7624eddb-b6ab-42ca-beff-c1132f64ded9", "client-request-id"=>"221e4530-9075-11e8-abc0-186590cf8dc9", "x-calculatedbetarget"=>"BY1PR15MB0055.NAMPRD15.PROD.OUTLOOK.COM", "x-backendhttpstatus"=>"401", "x-rum-validated"=>"1", "x-ms-diagnostics"=>"2000003;reason=\"The audience claim value is invalid 'https://graph.microsoft.com'.\";error_category=\"invalid_resource\"", "x-besku"=>"Gen8", "x-diaginfo"=>"BY1PR15MB0055", "x-beserver"=>"BY1PR15MB0055", "x-powered-by"=>"ASP.NET", "x-feserver"=>"BYAPR01CA0019", "www-authenticate"=>"Bearer client_id=\"MYIDGOESHERE\", trusted_issuers=\"00000001-0000-0000-c000-000000000000@*\", token_types=\"app_asserted_user_v1 service_asserted_app_v1\", authorization_uri=\"https://login.windows.net/common/oauth2/authorize\", error=\"invalid_token\",Basic Realm=\"\",Basic Realm=\"\"", "date"=>"Thu, 26 Jul 2018 01:42:26 GMT", "connection"=>"close", "content-length"=>"0"} @status=401>>

    I have many users who use this same code pathway just fine right now, but a few users are running into this issue which makes me think it's a configuration issue on their end or something, however the error message doesn't tell us much...Please help

    Thursday, July 26, 2018 6:34 PM

All replies

  • The internal management of scopes within Microsoft has changed for security reasons. We were using scopes such as Mail.Read which are Microsoft Graph scopes, but we were using them to access outlook.com endpoints. Until last week this was allowed, but now it is not allowed.

    The fix was to prepend https://outlook.office.com so the new scope would be https://outlook.office.com/Mail.Read and this scope format is allowed on the outlook REST API endpoints.

    Friday, August 3, 2018 1:01 AM