1
votes

I have a bot framework application which able to call Graph API. There is an oauth authentication flow to login my user to bot application. I can query Graph API like following requests:

  • https://graph.microsoft.com/v1.0/me

  • https://graph.microsoft.com/v1.0/sites/xxxx.sharepoint.com:/sites/test:/lists/Test/items

I want to query SharePoint Online API with the same token that used to call Graph API. I gave necessary permissions in AAD application where located in Azure Portal. I wrote below code but I got a 401 Not Authorized exception from SPO API. How can I call SPO API with the same token?

ClientContext context = TokenHelper.GetClientContextWithAccessToken("https://mytenant.sharepoint.com/sites/test/", _token);
SharePoint.Client.List testList = context.Web.Lists.GetByTitle("Test");
CamlQuery query = CamlQuery.CreateAllItemsQuery(100);
ListItemCollection items = testList.GetItems(query);
context.Load(items);
context.ExecuteQuery(); //Fires 401 error
1
Did you find a solution to this? I'm the exact same position... I need to call the SharePoint Online Search Rest APIs from the Bot framework.dhendry
I am sorry, I couldn't find any solution. As I understand from below comment, it's not possible to call another API with Graph API token.Murat

1 Answers

1
votes

You can't and shouldn't use the access_token with Microsoft Graph as the audience to call SPO API.

Why:

In Azure AD access_token, it must contain "aud" claim.

  • It identifies the intended recipient of the token. In access tokens, the audience is resource app's Application ID or Identifier, assigned to your app in the Azure portal. The resource app should validate this value and reject the token if the value does not match.

  • So, in the first access_token, its audience should be Microsoft Graph API, not SPO API. When you tried to use access_token to call Microsoft Graph API, the "aud" claim should be validated. However, if you tried to use that access_token to call SPO API, the "aud" claim value won't be validated and SPO API will treat is as an invalid acc_token and give "401 unauthorized" response.

See more details about access_token in Azure AD: https://docs.microsoft.com/en-us/azure/active-directory/develop/access-tokens#validating-tokens

More information:

If you want to use SPO API, We need to use Office 365 Discovery service to find the correct service API endpoint first. However, this is not supported by Microsoft anymore as Newly created apps does not have access to O365 discovery endpoint due to deprecation.

Currently, we recommend you use Microsoft Graph API instead.