Why am i getting an invalid access token from On-behalf-of-flow

Question

Why am i getting an invalid access token from On-behalf-of-flow

Yatin Tripathi 20

When I am using On-Behalf -Of-Flow and hitting /token endpoint with "common" tenant and word as middletier token as assertion with scopes as "openid profile offline_access user.read" i get a malinformed token , but it works for /me endpoint of microsoft graph, but not works for other microsoft api's such as GetAllFolders api etc.

{
  token_type: 'Bearer',
  scope: 'User.Read openid profile',
  expires_in: 2148,
  ext_expires_in: 2148,
  access_token: 'EwBoA8l6BAAUAOyDv0l6PcCVu89kmzvqZmkWABkAAcC8ou4ZlNy/KWYLLdVH0vH5mX0MiAuWOx+gxF.............................................................................................................................................................................................................................................9bsbChhpSgTqaDAn2/5e2ol0e+jVUfSFYGNfr45kqBZUoB32Q2HFI1p8wpIdQPOMXfQI=',
  refresh_token: 'M.C105_BAY.-CW5CZWj8ujA1gjI*WNj2u.........................................................................................................................................Ld5Mv40fbrVowHZdbrDkTPFTaKFidgiAN!qZhx472zJNxxnW0iVOFfQqNtU$',
  id_token: 'eyJ0eXAiOiJKV1QiLCJhbGciOiJS.........................................................................................................................................................................................................................83ZPxcotsRG-wGV30ULbnXyI8PFg'
}

Normally a accessToken starts with "ey..." , when we add more scopes we get different responses such as :-

{
  error: 'invalid_grant',
  error_description: "AADSTS500202: User account '{EmailHidden}' from external identity provider 'live.com' is not supported for API version '2.0'. Microsoft account pass-thru users and guests are not supported by the tenant-independent endpoint.\r\n" +
    'Trace ID: 5cc0f975-7e48-4a20-87b1-12dbec691300\r\n' +
    'Correlation ID: 027cda66-c8cf-41a8-9aa6-328244611c8a\r\n' +
    'Timestamp: 2023-05-18 12:14:01Z',
  error_codes: [ 500202 ],
  timestamp: '2023-05-18 12:14:01Z',
  trace_id: '5cc0f975-7e48-4a20-87b1-12dbec691300',
  correlation_id: '027cda66-c8cf-41a8-9aa6-328244611c8a'
}

Accepted answer

0 additional answers

Your answer

Answer 1

Zehui Yao_MSFT 5,876

Hi Yatin Tripathi ,access Token that start with "Ew..." mean that the user you're logged in with is a personal Microsoft account, since common allows Microsoft accounts and work or school accounts to sign in. Hope this helps Best Wishes.

User's image

If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

Yatin Tripathi 20 Reputation points

2023-05-19T02:51:24.96+00:00

Hi @Zehui Yao_MSFT if this is a valid token then why I am not able to hit graph API's with it, the only Api which I was able to hit with this token was /me endpoint of Microsoft graph.
Zehui Yao_MSFT 5,876 Reputation points

2023-05-19T03:22:41.2766667+00:00

Hi, what is the endpoint of the request you need at the moment? Since some endpoints may not support personal delegated permission. Or your account is missing authentication for certain products.
Yatin Tripathi 20 Reputation points

2023-05-19T03:28:29.27+00:00

@Zehui Yao_MSFT I am trying to share two documents, using the share api, also I am using open XML and created an api for comparing two word documents, but apart from these I tried hitting Api to get all the folders using graph SDK, but I am getting error " Invalid Api or resource", I want to hit these APIs from my add-in taskpane

Yatin Tripathi 20

@Zehui Yao_MSFT Do you mean that I cannot use this token :


  access_token: 'EwBoA8l6BAAUAOyDv0l6PcCVu89kmzvqZmkWABkAAcC8ou4ZlNy/KWYLLdVH0vH5mX0MiAuWOx+gxF.............................................................................................................................................................................................................................................9bsbChhpSgTqaDAn2/5e2ol0e+jVUfSFYGNfr45kqBZUoB32Q2HFI1p8wpIdQPOMXfQI=',

to call microsoft graph api's???

Zehui Yao_MSFT 5,876 Reputation points

2023-05-19T05:52:13.19+00:00

Hi, would you mind provide the URL you are requesting?

Yatin Tripathi 20

@Zehui Yao_MSFT

https://graph.microsoft.com/v1.0/sites/{site-id}/drive/root/children

scopes : -

user.read openid profile offline_access Sites.readWrite.All

{
    "error": {
        "code": "invalidRequest",
        "message": "Invalid API or resource",
        "innerError": {
            "date": "2023-05-19T06:06:30",
            "request-id": "615ebd9f-1f5c-4723-9dda-8e52e328f1e3",
            "client-request-id": "615ebd9f-1f5c-4723-9dda-8e52e328f1e3"
        }
    }
}

Zehui Yao_MSFT 5,876 Reputation points

2023-05-19T07:28:44.58+00:00

Hi, according to the documentation, currently list sites endpoint does not support delegated personal permission. So maybe that's the cause of the problem,

I also tested it locally, and the same account returns different results under different {tenant} value.
Yatin Tripathi 20 Reputation points

2023-05-19T07:44:13.66+00:00

@Zehui Yao_MSFT thank you for looking into it, this is exactly the same responses which I am getting from different "tenant" value , I wanted to use for personal accounts , looks like it doesn't work according to your response and documentation.

Share via

Why am i getting an invalid access token from On-behalf-of-flow

0 additional answers

Your answer