Invalid_grant when requesting Access token MS Graph

0
votes

thanks for reading this.

I've a problem obtaining an access token for MS Graph using Postman. I've been reading similar posts on stackoverflow, but so far, without success. In the following I added some screenshots that contain (I believe) all the information needed for this process.

  1. Screenshot of application permissions: https://i.stack.imgur.com/4lyM2.png

  2. The link I use to obtain an access-code:

    https://login.microsoftonline.com/{Tenant ID}/oauth2/v2.0/authorize? client_id=3ef3343a-ab22-4c50-12ae2a2d7c67 &response_type=code &redirect_uri=https://localhost:8080 &response_mode=query &scope=offline_access%20user.read &state=12345

3)After following this link I give permission and receive a code, which I use in the following postman call: https://i.stack.imgur.com/ZJv2b.png

I had no problem obtaining the access token without a user, but unfortunately, I need more than just the application permissions. I hope someone can help me!

Thanks for your time!

2
azure-active-directorymicrosoft-graph-apiaccess-token
The error states the request you made is not correct. Have you checked the request in Fiddler? It should look something line this.Shiva Keshav Varma

2 Answers

0
votes

You cannot generate a single token both Delegated (with a user) and Application (without a user). You'll need to make two separate requests.

For generating a Delegated token, you first need to retrieve an Authorization Code (i.e. the authrorization_code grant). This is done by redirecting the user to the following address (line breaks are for readability only)

https://login.microsoftonline.com/common/oauth2/v2.0/authorize?
client_id=[APPLICATION ID]&
response_type=code&
redirect_uri=[REDIRECT URI]&
scope=[SCOPE]

This will return an Authorization Code to the address you specified in the redirect_uri parameter (note that this address must also be included in your app registration). You then take this code an POST it to the /token endpoint like this:

https://login.microsoftonline.com/common/oauth2/v2.0/token
Content-Type: application/x-www-form-urlencoded

grant_type=authorization_code&
code=[AUTHORIZATION CODE]&
client_id=[APPLICATION ID]&
client_secret=[PASSWORD]&
scope=[SCOPE]&
redirect_uri=[REDIRECT URI]

For Application tokens, you simply skip the authorization code step and POST to the /token endpoint directly:

https://login.microsoftonline.com/{tenantDomain}/oauth2/v2.0/token
Content-Type: application/x-www-form-urlencoded

grant_type=client_credentials&
client_id=[APPLICATION ID]&
client_secret=[PASSWORD]&
scope=https://graph.microsoft.com/.default
0
votes

You need to delete the "code=" in code of postman call, it looks like "OAAABAAAAiL9Kn.....". code is just the value of "code" from /authorize endpoint. The others all looks correct.

UPDATE:

I tried with the steps in your issue, it worked well.

Permissions:

enter image description here

Get authorization code:

https://login.microsoftonline.com/{tenant-id}/oauth2/v2.0/authorize?
client_id={client-id}
&response_type=code 
&redirect_uri=https://localhost:44300/
&response_mode=query 
&scope=offline_access%20user.read 
&state=12345

Receive the code:

https://localhost:44300/?code=0.ATcATqvJ...vv1MbCO6MN_uCAA&state=12345&session_state=7ac58b8f-b2af-45fa-be4b-0b2c2a003e2e

Code is 0.ATcATqvJ...vv1MbCO6MN_uCAA from the pervious.

Request in Postman:

enter image description here