Unable to generate access token for microsoft graph online meeting api

0
votes

I have tried everything but somehow unable to generate token or the token that is generated does not work. Please help with what I am doing wrong. I want the token to create an online meeting. Sharing requests below which I have tried

  1. Generate token with client credentials grant type REQUEST:

    POST 'https://login.microsoftonline.com/CXXXXXXX/oauth2/token'
    --header 'Content-Type: application/x-www-form-urlencoded'
    --data-urlencode 'password=CXXXXXXX'
    --data-urlencode 'grant_type=client_credentials'
    --data-urlencode 'scope=OnlineMeetings.ReadWrite'
    --data-urlencode 'client_id=CXXXXXXXCXXXXXXX-464c-965a-CXXXXXXXCXXXXXXX'
    --data-urlencode '[email protected]'
    --data-urlencode 'client_secret=CXXXXXXX6ryCXXXXXXXuV.zu8SmW~D_'

Save the token generated- Using this in https://graph.microsoft.com/v1.0/me/onlineMeetings gives error - Access token validation failure. Invalid audience

  1. Use this token as assertion as follows

    POST 'https://login.microsoftonline.com/learn123456789.onmicrosoft.com/oauth2/token' --header 'Content-Type: application/x-www-form-urlencoded' --data-urlencode 'grant_type=urn:ietf:params:oauth:grant-type:jwt-bearer' --data-urlencode 'scope=OnlineMeetings.ReadWrite'
    --data-urlencode 'client_id=CXXXXXXXCXXXXXXX-464c-965a-CXXXXXXXCXXXXXXX'
    --data-urlencode 'client_secret=CXXXXXXX6ryCXXXXXXXuV.zu8SmW~D_'
    --data-urlencode 'resource=https://graph.microsoft.com/'
    --data-urlencode 'requested_token_use=on_behalf_of'
    --data-urlencode 'assertion=tokenFromFirstAPI'

  2. Also tried this api

    https://login.microsoftonline.com/common/oauth2/authorize?client_id=CXXXXXXXCXXXXXXX-464c-965a-CXXXXXXXCXXXXXXX&response_type=token&resource=XXXXXXX6-ba00-4fd7-XXXXXXXXX3

Error is Assertion audience does not match the Client app presenting the assertion. The audience in the assertion was '00000002-0000-0000-c000-000000000000' and the expected audience is 'clientID' or one of the Application Uris of this application with App ID XXX. The downstream client must request a token for the expected audience (the application that made the OBO request) and this application should use that token as the assertion.

No token works in this - https://graph.microsoft.com/v1.0/me/onlineMeetings

Getting - "Access token validation failure. Invalid audience.",

Please help, what am I doing wrong?

3
azure-active-directorymicrosoft-graph-apimicrosoft-teamsmicrosoft-graph-teams
Could you please check the permissions once and try using the graph explorer.VaraPrasad-MSFT

3 Answers

0
votes

Thanks Carl bit it did not work

Have even given all the permissions as suggested above.

ERROR- Bad Request - 400 - 819ms

{ "error": { "code": "AuthenticationError", "message": "Error authenticating with resource", "innerError": { "date": "2020-12-27T09:36:57", "request-id": "4e01eff1-9eb5-42dd-9009-dbdd85aca49a", "client-request-id": "5effa441-d7f6-5ef7-5066-1d7153f39712" } }

0
votes

As your error message says, your token audience is invalid , because you set the wrong scope when requesting the token. You should set the scope to https://graph.microsoft.com/.default or https://graph.microsoft.com/OnlineMeetings.ReadWrite, in addition, the api call only supports delegated permissions, so you can't use the client credential flow to get the token. For the /me endpoint, the user needs to log in, so you need Use auth code flow to obtain an access token.

enter image description here

Or, there is a simpler method, you can use Graph Explorer to test, you only need to log in to the user and add permissions.

enter image description here

Update:

I noticed that you use 3 methods to get the token.

First of all, for the first method, you are using a v1.0 endpoint and use the client credential flow to obtain the token. What you need to pay attention to is that when you use v1.0 authentication, you cannot use scope, you should use resource. In addition, when you use the client credential flow, you cannot use the v1.0 version , you need to use the beta version, and because the client credential flow is a flow without user login, you cannot call the /me endpoint, you should call the /users endpoint. (Note: When you use the beta version and use the client credential flow, according to the documentation: Administrators must create an application access policy and grant it to a user, authorizing the app configured in the policy to create an online meeting on behalf of that user (user ID specified in the request path).)

The complete request is:

POST https://login.microsoftonline.com/{tenant}/oauth2/token
Content-Type: application/x-www-form-urlencoded

client_id=535fb089-9ff3-47b6-9bfb-xxxxxxxxxx
&resource=https://graph.microsoft.com/
&client_secret=qWgdYAmab0YSkuLxxxxxxx
&grant_type=client_credentials

api call:

https://graph.microsoft.com/beta/users/{userId}/onlineMeetings

For the second method, I noticed that you are using OBO flow, and then you pass in the wrong access token obtained by the first method as an assertion, so the access token you obtained using this flow is definitely not correct. . In addition, if you don't have a back-end API, please do not use this flow. This flow requires you to have a middle-tier API, and it is cumbersome to use.

Your third method is also wrong, your resource should be: https://graph.microsoft.com

To summarize: If you want to use the client credential flow without user login, please refer to my update. If you don't have a backend api, please do not use OBO flow.

0
votes

IMAGE of ERROR Error in following URL

    "message": "Error authenticating with resource",

https://developer.microsoft.com/en-us/graph/graph-explorer