Microsoft Graph API BadRequest Current authenticated context is not valid

9
votes

I am trying to develop a simple background app to connect to my onedrive account (work) and regularly download some files.

I followed this tutorial https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-v2-protocols-oauth-client-creds

I have registered the app here https://apps.dev.microsoft.com/portal/register-app I have written down the client_id and client_secret

To get an access token I make a POST request to

https://login.microsoftonline.com/common/oauth2/v2.0/token with the following form encoded data

{
    'client_id': 'clientid here',
    'client_secret': 'secret is here',
    'scope': 'https://graph.microsoft.com/.default',
    'grant_type': 'client_credentials',
}

I get back an access_token 

{'ext_expires_in': 0,
 'token_type': 'Bearer',
 'expires_in': 3600,
 'access_token': 'eyJ0eXAiOiJKV1QiLCJhbGciO---SHORTENED FOR BREVITY'}

Next I make a GET request (with Bearer header properly set) to https://graph.microsoft.com/v1.0/me

and get this eror response (which I get for any endpoint fwiw)

{
  "error": {
    "code": "BadRequest",
    "message": "Current authenticated context is not valid for this request",
    "innerError": {
      "request-id": "91059f7d-c798-42a1-b3f7-2487f094486b",
      "date": "2017-08-05T12:40:33"
    }
  }
}

I have these permissions configured in the app setting permissions

Any ideas what might be wrong?

2
microsoft-graph-api

2 Answers

12
votes

I'll file a bug to improve this awful error message. The problem is that you are making a request using application permissions (client_credentials flow) - where there is no signed-in user context. Your request is to /me, and /me is basically an alias for the signed-in user - and in this case there isn't one!

You should try a call to https://graph.microsoft.com/v1.0/users instead. But, before you do that. In the app registration portal, you've selected delegated permissions, but you are calling with application permissions. You should remove the delegated permissions, and select the appropriate application permissions - to call users, select User.Read.All for example. Then make sure to consent/reconsent your app by going to the /adminconsent endpoint.

Please also read more on permissions and delegated and application permissions here: https://developer.microsoft.com/en-us/graph/docs/concepts/permissions_reference

Hope this helps,

1
votes

i used https://graph.microsoft.com/v1.0/users/{{Emailid}}/messages to get all the messages in my inbox