none
Graph API throwing : Access token validation failure

    Question

  • I am trying to integrate Graph API for organization level. Using ng2-adal (Angular 2), I'm authenticating the users and it's authenticate user successfully. Using access_token, am trying to get user's profile by calling 

    getUserProfile(): Observable<any> {
    // Perform REST call into Microsoft Graph for files on OneDrive for Business
    const access_token =
    "eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsIng1dCI6ImEzUU4wQlpTN3M0bk4tQmRyamJGMFlfTGRNTSIsImtpZCI6ImEzUU4wQlpTN3M0bk4tQmRyamJGMFlfTGRNTSJ9.eyJhdWQiOiI4YzkwN2M5MS0xYjIxLTQ0NjgtODI1ZS0xMTZhNGY2NjMyNDkiLCJpc3MiOiJodHRwczovL3N0cy53aW5kb3dzLm5ldC83NzQyODIwNS04N2ZmLTQwNDgtYTY0NS05MWIzMzcyNDAyMjgvIiwiaWF0IjoxNDkxOTg3Mjk2LCJuYmYiOjE0OTE5ODcyOTYsImV4cCI6MTQ5MTk5MTE5NiwiYW1yIjpbIndpYSJdLCJmYW1pbHlfbmFtZSI6IlJlbmdhcmFqYW4iLCJnaXZlbl9uYW1lIjoiUHJhdmVlbiIsImlwYWRkciI6IjExNS4xMTAuMTM3LjIzNCIsIm5hbWUiOiJQcmF2ZWVuIFJlbmdhcmFqYW4iLCJub25jZSI6ImMyMzdmMjY1LTI4NDItNDU4YS1hMzgwLThiODcxZjk0ZWFmZSIsIm9pZCI6ImM4Y2Y0MTU2LTZmMzEtNGEwNS1iZjZjLTg4Y2VjODdiNTk4ZSIsIm9ucHJlbV9zaWQiOiJTLTEtNS0yMS0xNTE4NDc2NTM3LTM3NTYzOTMwMzEtMTA3OTc2NDM4NC05OTUwIiwicGxhdGYiOiIzIiwic3ViIjoicjVjeUlwcmgwSFVTcEJKU3lzeno4UU14TkF1VDNXdGcyNWcxdGpiX0c2ayIsInRpZCI6Ijc3NDI4MjA1LTg3ZmYtNDA0OC1hNjQ1LTkxYjMzNzI0MDIyOCIsInVuaXF1ZV9uYW1lIjoicHJhdmVlbi5yQGhhcHBpZXN0bWluZHMuY29tIiwidXBuIjoicHJhdmVlbi5yQGhhcHBpZXN0bWluZHMuY29tIiwidXRpIjoibUJ5blF4MHZCa1NUZVhtVHdlUVZBQSIsInZlciI6IjEuMCJ9.q5P8tVMvwEjBQu3D_zTXBU5VXSHIZEdU8BFAt0yiqB3ETazzZQxWcvYp-eF7BV4nHQcOW_1UL5yQKm5zy4S1AKM5fcJ7y9Whi7ZBfoSDSLLYqsRnykFZHAz4CiYi895D-7HdLz3j0c9We1nNtX1927DkoSpZOn7hww5iZxFA8K4qplMLzeKFJtkrAST2tMkfx7AatxW7E9c2yUfoXe8wW-1JmEeU5ysHnIazLqo3qQJ9itZScbFnsoHA3zmK2nPUUgpPHJ-WsQG43eEnLlu9__g5F9OF9On0dz0E7MVDh3v2JsY8nywI3_QPSnUy_jzbd-MbGXlV8q8TSmiZQECRig"
    ;
    console.log(access_token);
    return this.http.get('https://graph.microsoft.com/v1.0/me/', {
    headers: new Headers({ 'Authorization': 'Bearer ' + access_token })
    }).map((response: Response) => {
    return response.json();
    });
    }

    Getting response as:

    {
      "error": {
        "code": "InvalidAuthenticationToken",
        "message": "Access token validation failure.",
        "innerError": {
          "request-id": "8595528a-8841-4982-9be3-f0c1a0b7416b",
          "date": "2017-04-12T09:09:53"
        }
      }
    }

    Wednesday, April 12, 2017 9:19 AM

All replies

  • I am using ng2-adal and connecting to MS Graph. I think it is likely your access token is wrong or is expired.

    You'll want to use the authHttp service that ng2-adal has. In the config object, you need something like this:

    endpoints: {
    "https://graph.microsoft.com/v1.0/me/": "https://graph.microsoft.com/"
    }

    Then when you do a call to the API, use the authHttp methods instead of Angular's http. authHttp will handle the access token part for you while automatically adding it to the headers.

    You also have to register your app and MS Graph correctly with AD giving your app the right permissions to access resources from MS Graph. The process will vary depending on if you are using the Azure AD v2.0 endpoint or not.

    Friday, April 14, 2017 4:14 PM
  • Looking at the token you have provided.  The audience is for the application, not the graph.microsoft.com resource.  You should be able to take the code you received when you authenticated the user and request a token for the user with the graph.microsoft.com resource, basically, an on behalf of flow.

    Here is the payload of the token provided:
    {
      "aud": "8c907c91-1b21-4468-825e-116a4f663249",
      "iss": "https://sts.windows.net/77428205-87ff-4048-a645-91b337240228/",
      "iat": 1491987296,
      "nbf": 1491987296,
      "exp": 1491991196,
      "amr": [
        "wia"
      ],
      "family_name": "Rengarajan",
      "given_name": "Praveen",
      "ipaddr": "115.110.137.234",
      "name": "Praveen Rengarajan",
      "nonce": "c237f265-2842-458a-a380-8b871f94eafe",
      "oid": "c8cf4156-6f31-4a05-bf6c-88cec87b598e",
      "onprem_sid": "S-1-5-21-1518476537-3756393031-1079764384-9950",
      "platf": "3",
      "sub": "r5cyIprh0HUSpBJSyszz8QMxNAuT3Wtg25g1tjb_G6k",
      "tid": "77428205-87ff-4048-a645-91b337240228",
      "unique_name": "praveen.r@happiestminds.com",
      "upn": "praveen.r@happiestminds.com",
      "uti": "mBynQx0vBkSTeXmTweQVAA",
      "ver": "1.0"
    }

    Notice the aud: claim, it is the application ID.  Not the graph.microsoft.com resource.  When I looked at the operations logs, the request was rejected for just this reason, the audience was not correct for the token, so it can't be used to access the graph.microsoft.com resource.

    Here is a link to the OAuth documentation that may help you create the request for a bearer token for the graph.microsoft.com resource:
    https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-protocols-oauth-code

    Regards,
    MaxV (MSFT)

    Wednesday, April 19, 2017 8:29 PM
  • How should I enable graph.microsoft.com in my adaljs. I am using angular2 adal service for authentication. It's giving me id_token.
    Thursday, May 04, 2017 6:40 AM