Microsoft Graph API: Access token validation failure. Invalid audience

0
votes

I am trying to migrate my app from Office 365 REST v2.0 to Microsoft Graph (v1.0). The token exchange seems to be working but as soon as I am trying to call an API, I am getting the following error:

    (
    [errorNumber] => 401
    [error] => Request returned HTTP error 401
    [message] => {
  "error": {
    "code": "InvalidAuthenticationToken",
    "message": "Access token validation failure. Invalid audience.",
    "innerError": {
      "date": "2021-03-16T15:36:21",
      "request-id": "dda1e33a-2774-4986-8c45-1487404fbb72",
      "client-request-id": "e842d9a8-d71b-0563-f1ce-e58052e5bdb9"
    }
  }
}
)

The access_token has the following audience:

"aud": "https://outlook.office.com"

Here is the endpoint that I am using:

https://login.microsoftonline.com/common/oauth2/v2.0/token

Payload:

grant_type=authorization_code
&code=0.AR8A3XwQy0FAmkSxxxx
&redirect_uri=https%3A%2F%2Fxxx.com%2Fproxy%2Foffice365authorize
&client_id=e2147faf-87f0-4e7f-xxxx-xxxxxxxxxxx
&client_secret=xxxxxxxxxxxx

Any hint would be greatly appreciated, thanks!

1
oauth-2.0azure-active-directoryjwtmicrosoft-graph-api

1 Answers

2
votes

This means your token has the wrong audience, to call the Micrsoft Graph API, you need to get the token for Microsoft Graph i.e. the access token needs the "aud": "https://graph.microsoft.com".

Looks you are using the AAD auth code flow to get the token, so when you request an authorization code, use the scope with https://graph.microsoft.com/.default.

https://login.microsoftonline.com/common/oauth2/authorize?
client_id=xxxxx
&response_type=code
&redirect_uri=xxxxxx
&response_mode=query
&scope=https://graph.microsoft.com/.default
&state=12345

Also use scope=https://graph.microsoft.com/.default when requesting the token.

POST https://login.microsoftonline.com/common/oauth2/v2.0/token

client_id=xxxxxx
&scope=https://graph.microsoft.com/.default
&code=0.AR8A3XwQy0FAmkSxxxx
&redirect_uri=xxxxxx
&grant_type=authorization_code
&client_secret=xxxxx

To call the API successfully, also make sure you have grant correct Delegated Microsoft Graph API permissions for your client app depends on the API you want to call, e.g. if you want to call List users, you need the permissions here.

enter image description here