I am testing the Microsoft Graph beta endpoint that sends invitations to guest users to join the tenant. The endpoint I am using is :
https://graph.microsoft.com/beta/invitations
Body:
{
"invitedUserEmailAddress": "abc#xyz.com",
"inviteRedirectUrl": "https://myDomain"
}
I am passing the bearer token in Authorization header that I got for the local admin user through the ADAL4J api. However, this call gives me a 401 Unauthorized error. Following is the response:
{
"error": {
"code": "InvalidAuthenticationToken",
"message": "Access token validation failure.",
"innerError": {
"request-id": "91f8129e-70cc-467d-a45b-9309e55788d6",
"date": "2017-02-10T08:46:09"
}
}
}
Any clue on how to get this request working? On Github I have gone through other discussions(eg) where users are facing the same issue.
The token sent was obtained with resource as "https://graph.windows.net". The expected resource/audience for Microsoft Graph API is "https://graph.microsoft.com". Update your application manifest to include Microsoft Graph as a resource and request the required permissions. Then request token with above mentioned resource/audience.
I am excatly in the same situation as #adarsh hegde. But I am targetting an azure B2C instead.
I can get the token for the windows graph (using resource "https://graph.windows.net"), and I am able to create users whithin my web app that is registered with the right permission.
What I did is to acquire token for graph.microsoft.com on the same time, but this token doesn't let me use invitations giving me the same error as you :
{
"error": {
"code": "InvalidAuthenticationToken",
"message": "Access token validation failure.",
"innerError": {
"request-id": "91f8129e-70cc-467d-a45b-9309e55788d6",
"date": "2017-02-10T08:46:09"
}
}
}
UPDATE:
So here are the steps that I've done so far:
ADB2C directroy
Web app with OpenID registered in there with required permissions to manage users in the AD following this link
When admin is logged in, the Web app in trusted mode is able to let him manage users (create/add/etc...)
Now what I want to use is the InvitationManager part of the MS graph (graph.microosoft.com) to be able to send invitation mail. can I redeem the code received in the OpenIdConnectAuthenticationNotifications to get access token for the MS graph? knowing that I already do that but for AD graph (graph.windows.net)
Thanks for the help
Related
I'm making a Java application to send Mail as any user in a Microsoft tenant, with Graph APIs, so I'm using the client credentials flow (no login, automatic send).
I've registered an app in Azure AD giving the following application permissions (not delegated), checking out the admin consent for every item:
Mail.Send
Mail.ReadWrite
User.Read.All
For semplicity, I've tried also with calls in Postman, but I have the same issue as in the Java app. I take for granted that I have got a valid access token (If I try with an invalid one, I get a 401: Unauthorized). The following is the decoded access token that I get from https://jwt.ms/, with all the scopes included:
...
"roles": [
"Mail.ReadWrite",
"User.Read.All",
"Mail.Send"
],
...
This is my code in Java:
String user = "/users/<my user id or my user principal name>";
UserRequestBuilder defaultUser = new UserRequestBuilder(graphClient.getServiceRoot() + user, graphClient, null);
//graphClient.me()
defaultUser
.sendMail(UserSendMailParameterSet
.newBuilder()
.withMessage(message)
.withSaveToSentItems(saveToSentItems)
.build())
.buildRequest()
.post();
I can't use the "me" target (me() method) because this is client credentials flow, so there isn't a logged user. I need to specify the sender in this way: /users/{id | userPrincipalName}/sendMail.
This is how the call in Postman is composed:
Method: POST
URL:
.https://graph.microsoft.com/v1.0/users/{my user id or my user principal name}/sendMail
AUTHORIZATION:
Bearer Token (my access token)
HEADERS:
Content-Type: application/json
BODY(JSON):
{
"recipient": <recipient email>,
"subject": "This is a test mail",
"from": <mail that created the tenant, app and access token>,
"text": "This is the messge body..."
}
That's the response from the server (in both Postman and Java app):
STATUS: 405: Method Not Allowed
BODY:
{
"error": {
"code": "Request_BadRequest",
"message": "Specified HTTP method is not allowed for the request target.",
"innerError": {
"date": "2022-08-05T07:17:34",
"request-id": "XXXXXXXX-6075-4d13-83ed-XXXXXXXXXXXX",
"client-request-id": "XXXXXXXX-6075-4d13-83ed-XXXXXXXXXXXX"
}
}
}
Note 1:
I got my user id and my user principal name also with a Postman call using my access token,
exploiting the User.Read.All permission, with the following call:
https://graph.microsoft.com/v1.0/users
That's the response:
...
"userPrincipalName": "XXXXXX_XXXXXX.XXX#EXT##sendClientCredMail.onmicrosoft.com",
"id": "XXXXXXXX-4457-4944-bb22-XXXXXXXXXXXX"
}
]
}
Note 2:
Note that if I use the "principal name" in the call, I get a 405, if I use the "id" instead I get a 404: Not Found
Thanks in advance for any help, I've been trying for hours!
SOLVED
As Optimal said in the comments, the issue was that the user didn't have a licensed mailbox.
When I assigned a "Microsoft 365 Business Premium" license to that user, my code worked fine.
Check the licenses both on portal.azure.com for assignments, and on admin.microsoft.com for the active mailbox
Kind regards
I have been following https://github.com/microsoftgraph/msgraph-sdk-java project for getting all the mails using Microsoft Graph API. This project works fine based on my changed configuration.
However, this follows OAuth authentication and I have to configure redirect url, and while running project, I got authentication code as query param on given url.
I stuck at two points :
How to by pass redirect_url concept, since my application is going to run in background. so, is there any way, I can auto capture this authentication code?
By trading authentication code, I receive access_token having 3600 expiry using below method.
OAuth2AccessToken mAccessToken = mOAuthService.getAccessToken(authCodeFromURL);
In above object, receiving below JSON, which does not have refresh token.
{
"token_type": "Bearer",
"scope": "Files.ReadWrite openid User.Read Mail.Send Mail.ReadWrite",
"expires_in": 3600,
"ext_expires_in": 3600,
"access_token": "encryptedCode",
"id_token": "encryptedCode"
}
I have tried to get the new access token with below method from SDK by using id_token, but it is not working, gives me invalid.
OAuth2AccessToken mAccessToken = mOAuthService.refreshAccessToken(idToken);
Invalid JSON :
{
"error": "invalid_grant",
"error_description": "AADSTS9002313: Invalid request. Request is malformed or invalid.\r\nTrace ID: 03690b71-4056\r\nCorrelation ID: b70a7b7b-963b-4cd6\r\nTimestamp: 2019-05-22 08:24:33Z",
"error_codes": [9002313],
"timestamp": "2019-05-22 08:24:33Z",
"trace_id": "03690b71-4056-49b9",
"correlation_id": "b70a7b7b-963b-4cd6"
}
What is id_token?
How can I refresh this access_token? Or Is there any other way/method to do it?
Kindly note, I am looking for solution with Java SDK.
I am trying to integrate the YELP API within an application in Android Studio. I am trying to acquire an access token using a post request in Postman. However, when I send the post request I get this error returned in JSON format:
{
"error": {
"code": "VALIDATION_ERROR",
"description": "'client_credentials' is not one of ['authorization_code', 'refresh_token']",
"field": "grant_type",
"instance": "client_credentials"
}
}
I have searched this site and google for what the description line means in particular:
"description": "'client_credentials' is not one of ['authorization_code', 'refresh_token']",
I have not been able to find any results as to what this error means. Here is my project setup in postman:
I simply copy and pasted my client ID and API key from yelp and stored them within the client_id and client_secret in Postman respectively. When I send this requestion I get the 400 Bad Request error and find out that its a validation error. At first I thought that I entered the wrong API key, however, I refreshed the API key and directly copy and pasted it, so I am confident that my API key and client ID are correct. The output should look like this and it should deliver an access token:
I couldn't find any examples that had this specific error message.
You no longer need a refresh token, all you need is an API key in your Authorization header:
Authorization: Bearer {{apiKey}}
Source: https://www.yelp.com/developers/documentation/v3/authentication
I am trying to get posts of specific Facebook brand page using following curl command
https://graph.facebook.com/v2.10/me/photos?access_token=xxx
Getting following error
{
"error": {
"message": "An active access token must be used to query information about the current user.",
"type": "OAuthException",
"code": 2500,
"fbtrace_id": "DH1T17dMqR+"
}
}
I have used following curl command to get active access token https://graph.facebook.com/oauth/access_token?type=client_cred&client_id=XXX&client_secret=YYY
Facebook app have been created by page admin and client ID & client secret used to get app access token.
Earlier we are using page-id instead of "me" identifier to get the post using above curl and it was working fine for specific facebook account.
Where page-id is id of specific facebook page whose post you want to get.
Now, same configuration is not working for other page.
The page is most likely restricted by age or location, so you have to use a User Token or Page Token for /page-id/photos.
More information about Tokens:
http://www.devils-heaven.com/facebook-access-tokens/
https://developers.facebook.com/docs/facebook-login/access-tokens/
I am new to the Facebook API. What I am trying to do without success is from my laptop create a new access token for myself through the Facebook API.
Below is the URL I am using to create this new access token:
String url = "
https://graph.facebook.com/oauth/authorize?client_id=##########&client_secret=##########&redirect_uri=http%3A%2F%2Fintelligentretrieval.com"
When I use my client id and then the client_secret (I assume this is the client password) then I get an error
{
"error": {
"message": "Missing redirect_uri parameter.",
"type": "OAuthException",
"code": 191
}
}
What exactly is the problem with this and the reason for the error?
Facebook requires a redirect_uri so I decided to dot it to my company site home page.(I figure this isn't the best place to redirect it but where should I redirect this?)
I want to redirect the result (generated access token) to my laptop from where I am making this URL request.
What exactly is the problem with this?
Is this possible with a browser like Chrome?
Is this possible using java?
Also is it possible to extend the access token expiration to 60 days with this url?
Please let me know if there is any confusion with any part of this post or if the answer can be found elsewhere.