Office365 Rest API 401 “The audience claim value is invalid”

2
votes

I have a microsoft token that is able to be refreshed successfully, yet when I try to make a basic call that is within one of the scopes authorized, I get a 401. The call is: https://outlook.office365.com/api/v2.0/me and here is the detail back from the server:

https://outlook.office365.com/api/v2.0/me> @request=# @request_headers={"Authorization"=>"Bearer MYTOKENGOESHERE", "Accept"=>"application/json", "User-Agent"=>"Faraday", "client-request-id"=>"221e4530-9075-11e8-abc0-186590cf8dc9", "return-client-request-id"=>"true"} @ssl=# @response=# @response_headers={"server"=>"Microsoft-IIS/10.0", "request-id"=>"7624eddb-b6ab-42ca-beff-c1132f64ded9", "client-request-id"=>"221e4530-9075-11e8-abc0-186590cf8dc9", "x-calculatedbetarget"=>"BY1PR15MB0055.NAMPRD15.PROD.OUTLOOK.COM", "x-backendhttpstatus"=>"401", "x-rum-validated"=>"1", "x-ms-diagnostics"=>"2000003;reason=\"The audience claim value is invalid 'https://graph.microsoft.com'.\";error_category=\"invalid_resource\"", "x-besku"=>"Gen8", "x-diaginfo"=>"BY1PR15MB0055", "x-beserver"=>"BY1PR15MB0055", "x-powered-by"=>"ASP.NET", "x-feserver"=>"BYAPR01CA0019", "www-authenticate"=>"Bearer client_id=\"MYIDGOESHERE\", trusted_issuers=\"00000001-0000-0000-c000-000000000000@*\", token_types=\"app_asserted_user_v1 service_asserted_app_v1\", authorization_uri=\"https://login.windows.net/common/oauth2/authorize\", error=\"invalid_token\",Basic Realm=\"\",Basic Realm=\"\"", "date"=>"Thu, 26 Jul 2018 01:42:26 GMT", "connection"=>"close", "content-length"=>"0"} @status=401>>

I have many users who use this same code pathway just fine right now, but a few users are running into this issue which makes me think it's a configuration issue on their end or something, however the error message doesn't tell us much...Please help

1
oauth-2.0outlookoffice365
Also, I just noticed that the "claim" seems to be pointing to 'graph.microsoft.com' which we don't even authorize for (It's not one of the scopes) nor is this url requesting access to that endpoint. Any ideas about this?BryanP
Hi, this is affecting us as well. Did you ever get a resolution?David

1 Answers

4
votes

The internal management of scopes within Microsoft has changed for security reasons. We were using scopes such as Mail.Read which are Microsoft Graph scopes, but we were using them to access outlook.com endpoints. Until last week this was allowed, but now it is no longer allowed.

The fix was to prepend https://outlook.office.com so the new scope would be https://outlook.office.com/Mail.Read and this scope format is allowed on the outlook REST API endpoints. Just be careful not to mix graph and outlook scopes as it appears you cannot get a single token that can work for both of those APIs.