2
votes

I'm trying to get the access token for the Microsoft Graph API in order to access a SharePoint document library. My application is a windows service, hence I'm following the procedure described here.

But when I try to get the access token, the response that I get doesn't have the scope value. Below is my response:

{
  "token_type": "Bearer",
  "expires_in": "3600",
  "expires_on":"1492452559",
  "not_before": "1492448659",
  "resource": "https://graph.microsoft.com",
  "access_token": "Token"
}

Because of this when I try to query the Graph API with this access token, I'm getting an error saying: Either scp or roles claim need to be present in the token

Can someone please help me on how to get this working? Thanks in advance.

1
Did you replace a really long piece of text with Token?juunas
Could you check the access token in a service such as jwt.io and check if there really are no scopes there. You could even paste some of the contents here (with all the private info redacted/replaced of course). Could you also mention the URL you are trying to call with the token? Could you also mention what permissions you have granted for the app in Azure AD? If those are fine, then it could be a consent problem.juunas
Hi Junnas, I have give the Application Permissions: Read and Write files in all site collections which requires admin consent. Could you please tell me how can the admin consent be given? Thanks,user318197
This is the URL to get the admin consent:login.microsoftonline.com/common/oauth2/authorize? client_id=<CLIENT-ID> &redirect_uri=<REDIRECT-URI> &resource=<RESOURCE-ID> &response_type=code &response_mode=form_post &prompt=admin_consent Got this working. Thanksuser318197

1 Answers

1
votes

That seems your client application hasn't set the appropriate app permissions when using client credential flow , below is an illustration of application permissions section in Azure AD classic portal. Please select appropriate permissions needed and retry : enter image description here

And in addition , when using client credential flow to get the access token , you could check the roles claims in access token(that is the way to check the app permission, not in token response) , using a tool like http://jwt.calebb.net/ to decode the access token and check the app permissions : enter image description here