Access token validation failure - MS Graph API Version 2

0
votes

I had googled a lot on this issue yet nothing helped me. I had seen many similar post also but no useful.

I am using MS Graph API V2 to access user emails,calendar and contacts data.

Authorize URL:

https://login.microsoftonline.com/common/oauth2/v2.0/authorize?client_id=ABC&redirect_uri=redirectURL&response_type=code&scope=Mail.Read(ScopeURL)

Token Request URL:

https://login.microsoftonline.com/common/oauth2/v2.0/token

Headers:

Content-Type:application/x-www-url-form-urlencoded

Body: 

client_id:ABC
redirect_uri:RedirectURL
grant_type:authorization_code
client_secret:KEY
code: pasted from browser URL

I am successfully getting code in browser URL after signing in and using same code to get access token also.

User Profile/Mail Messages/Contacts Request:

Ex: I am trying to read user profile as well user mail messages.

Respective Requests:

Profile: https://graph.microsoft.com/v1.0/me/

Mail Messages: https://graph.microsoft.com/v1.0/me/messages

Header: Authorization:Bearer (AccessToken pasted from token request)

But I am getting below error whichever request in above using.

{
    "error": {
        "code": "InvalidAuthenticationToken",
        "message": "Access token validation failure.",
        "innerError": {
            "request-id": "1e232525-6772-483e-87e3-679d5fcb8fb5",
            "date": "2019-02-22T11:53:50"
        }
    }
}

I had set permissions for mail read and write , access calendars data, contacts ( Full access)

I created application in https://apps.dev.microsoft.com

1
outlookazure-active-directoryoffice365microsoft-graph-api
Have you tried to validate token using jwt.ms?FIL
Yes, I had validated token and its a valid.PavanKumar GVVS
You would make your life easier by using the MSAL library to do the OAuth flow for you. There are plenty of steps where you can go wrong. If you really don't want to do that, one thing I would suggest trying is to prefix your scopes with graph.microsoft.comDarrel Miller
Yes i used scope as like you mentioned, its worked for me. Thanks. But i created app in "apps.dev.microsoft.com" and created scopes manually and used specific scope url. Ex: api://<APPID>/Mail.Read. Is this causing issue for me? will it wont work? what is wrong in this?PavanKumar GVVS
How ever, I am not able to get "me/contacts" data from API even though i set permissions.What could be reason. Error: Resource not foundPavanKumar GVVS

1 Answers

1
votes

The scope format should be https://graph.microsoft.com/Mail.Read Mail.ReadWrite User.Read. I tried the following, it worked.

enter image description here

To get me/contacts, you need to grant the Contacts.Read and Contacts.ReadWrtie permissions.

enter image description here

And when you required the access_token, the authorization URL should like this: https://login.microsoftonline.com/common/oauth2/v2.0/authorize?(need to use the common to replace the tenant name).

enter image description here