invalidAudienceUri error when list files in OneDrive for Business

0
votes

My Registered Application uses the REST API to synchronize files with "OneDrive for Business". It worked for a year, but recently, my customer reported an error when syncing with "OneDrive for Business". It responds with an error when my app lists or uploads files to it.

For example, listing files in "OneDrive for Business":

https://mydomain-my.sharepoint.com/_api/v2.0/me/drive/items/root/children?select=id,name,size,deleted,folder,file,parentReference,lastModifiedDateTime

"OneDrive for Business" returns the following error:

{
    "error": {
        "innerError": {
            "code":"invalidAudienceUri"
        },
        "code": "unauthenticated",
        "message": "Invalid audience Uri 'https://api.office.com/discovery/'."
    }
}

My application has logged correctly into "OneDrive for Business" by OAuth2 and added the authentication header correctly.

Could someone tell me what the cause of the error, how to avoid the problem?

1
onedrive
If you paste your bearer token into jwt.ms what is the value of the aud claim. It sounds like the audience (sometimes called the resource) provided when you got the tokem was the discovery endpoint and not SharePoint.Brad
Thank you Brad, the "aud" is "api.office.com/discovery", how can I changed the aud?RiseFly
Can you update your question to include how the token was obtained? Strip out client secrets if present.Brad
Hello Brad, thank you for the hint, I have resolved the problem see the below answer.RiseFly

1 Answers

0
votes

From the hint of Brad, I have resolved the problem, but may not a beautiful way. Here is the program steps to resolve the problem: (Sorry I have omitted the links, because I can not put too many links)

  1. Show the OAuth2 consent dialogbox, let the user allow the application to access the OneDrive for Business, obtain the Authentication Token (AuthToken).

  2. Use the AuthToken to get the AccessToken and RefreshToken of discovery API. Here is the help of discovery API.

  3. Use the above AccessToken to access discovery API to get the resource URI of your account. The result is like "htts://yourdomain-my.sharepoint.com/";

  4. Show the OAuth2 consent dialogbox AGAIN, let the user allow the application to access the OneDrive for Business, obtain the Authentication Token (AuthToken2).

  5. Use the AuthToken2 to get the AccessToken2 and RefreshToken2 of "htts://yourdomain-my.sharepoint.com/".

  6. Access your "OneDrive for Business" resource by AccessToken2 and RefreshToken2.

Old OneDrive for Business API need not Step4 and Step5, just use AccessToken and RefreshToken to access the resources, but new APIs need Step4 and Step5.