MS Graph API: invalid authentication token
Solution 1
in your login request, the resource parameter should be https://graph.microsoft.com
Solution 2
It seems to be the case, that tokens issued from the v1 endpoint aren't valid for atleast some requests with MS Graph API.
Instead try to get the token form the v2 endpoint by calling https://login.microsoftonline.com/{tenant}/oauth2/v2.0/token
.
In case you are working with oidc discovery documents, you'll find the one for v2 at https://login.microsoftonline.com/{tenant}/v2.0/.well-known/openid-configuration
Solution 3
I think you will need to register app from here "https://apps.dev.microsoft.com" instead of from Azure Portal.
Solution 4
Unless you are an using Client Credentials, you cannot access the messages another account's mailbox. Make sure that [email protected]
is the same account you are authenticated with and that this address is also the userPrincipalName for the account.
You can also use a simplified URI for requesting your messages and bypassing determining the account's userPrincipalName
by using /me
. In this case the GET
request would be https://graph.microsoft.com/v1.0/me/messages
Related videos on Youtube
vaindil
Updated on December 19, 2020Comments
-
vaindil over 3 years
I'm trying to use the Microsoft Graph API to query an Outlook/O365 mailbox for messages. I registered my app in the Azure portal and received the necessary information to query the API. The app has the
Mail.Read
permission. (I don't have access to the Azure portal, I was told it was set up this way.) When I get my token from the OAuth endpoint, however, it doesn't work in any subsequent calls. I'm using Python's requests module for testing right now.Why is this call failing? It seems like I'm passing all of the correct information but I'm clearly missing something.
I'm getting the token by performing a
POST
on:https://login.microsoftonline.com/my.domain/oauth2/token
I pass the necessary parameters:
data = {'grant_type': 'client_credentials', 'client_id': CLIENTID, 'client_secret': SECRET, 'resource': APPURI}
and I get a response like this:
{ 'resource': 'APPURI', 'expires_in': '3599', 'ext_expires_in': '3600', 'access_token': 'TOKENHERE', 'expires_on': '1466179206', 'not_before': '1466175306', 'token_type': 'Bearer' }
I try to use that token, however, and it doesn't work for anything I call. I'm passing it as a header:
h = {'Authorization': 'Bearer ' + TOKEN}
I'm calling this URL:
url = 'https://graph.microsoft.com/v1.0/users/[email protected]/messages'
Specifically, I use this:
r = requests.get(url, headers=h)
The response is a 401:
{ 'error': { 'innerError': { 'date': '2016-06-17T15:06:30', 'request-id': '[I assume this should be removed for privacy]' }, 'code': 'InvalidAuthenticationToken', 'message': 'Access token validation failure.' } }
-
vaindil almost 8 yearsI'm trying to set up a task on my web app that will periodically check a specific mailbox for new emails and process attachments on them. Sounds like I'm going about it the wrong way then.
-
Marc LaFleur almost 8 yearsThis will work but you'll need to either get a token using that mailbox's credentials or use an account with administrative privileges.
-
vaindil almost 8 yearsHope it's okay to piggyback off of this. We can't figure out where to generate the credentials under the account; can't log into the portal because it's not an administrator account. Where would we do that?
-
vaindil almost 8 yearsThe app information created in the URL provided in the other answer by Xiaomin returns this from the oauth endpoint:
Application 'IDHERE' is not supported for this API version.
Must not be the correct way to do it. -
Marc LaFleur almost 8 yearsIf you're registering at apps.dev.microsoft.com then make sure you are also using the v2 Endpoint. For classic Azure AD integration (aka v1) you need to register within your Azure AD instance and use the ID and secret from there.
-
Marc LaFleur almost 8 yearsNote that switching to v2 will not get around the Admin requirement for other user mailboxes.
-
vaindil almost 8 yearsHmm... we're trying to use the classic integration, but can't find a way to register it under a specific user. The apps appear to be created globally. The account can't log into the portal because it isn't an administrator. The person who created the credentials originally is an administrator but they still don't work.
-
Marc LaFleur almost 8 yearsYou don't register an app to a specific user. You register an app to Azure AD and the actual user authenticates using OAUTH. OAUTH has 3 components - the "User" with a User ID, the "App" with an App ID, and a "Provider" which authenticates both the "User" (via the user's credentials) and the "App" (via the app's registration ID). In order to access remote mailboxes the "User" must be an Admin.
-
vaindil almost 8 yearsLet us continue this discussion in chat.
-
Karthik Rana about 5 yearsHow to specify more than one resource there ?
-
Amit over 4 yearsThis won't be of help. The page says - "Application registrations portal has been deprecated for registering and managing converged applications since May 2019 and this functionality will be removed starting September 2019. We recommend that you manage your existing applications and register new applications by using the App registrations (now Generally Available) experience in the Azure portal."