Access Token missing or malformed when calling Graph API

12
votes

Following this guide: https://azure.microsoft.com/en-us/documentation/articles/resource-manager-api-authentication/#_get-objectid-of-application-service-principal-in-user-azure-ad

I've reached the stage where I call graph.windows.net to Get the ObjectId of the service principal in user Azure AD.

When I do the call, however, I'm getting the following message:

{"odata.error":{"code":"Authentication_MissingOrMalformed","message":{"lang":"en","value":"Access Token missing or malformed."},"values":null}}

I've already tried replacing the clientId with the 'onmicrosoft.com' address too (so graph.windows.net/appname.onmicrosoft.com/...), still got the same message.

1
azureactive-directory
Just a comment about the bounty: whatever solves the issue gets the bounty obviously.Asaf
Can you show us a sample of your code? The error is quite clear that you are missing the token.so either you are not sending it or are not sending it in a way the API expects.Ricardo Velhote
@Asaf We had this issue when using Fiddler to retrieve the token, turned out it was due to the app / client secret containing special characters which needed to be encoded as part of the request for the bearer token.jimpaine
I've tried both proposed solutions, unfortunately none of them worked. I still hope to get this solved.Asaf
Can you confirm how you are testing the calls to AzureAD, i.e. Fiddler? Also could you confirm if you are trying to get a bearer token to then call the graph api or are you calling the graph api with your recently acquired bearer token?jimpaine

1 Answers

3
votes

To extend on my comment, we have seen this when the app secret contains characters that need encoding. Such as "+" and "="

enter image description here

If you are not using some of the client helpers available or are testing with Fiddler or Postman you will need to URL encode the secret before calling the graph api, so it looks it becomes:

"7hIkYG5m7xJQnocThxMc4yPjtbRP7bO41aNC%2bbrEzvo%3d"