Solved

Microsoft Graph - Invalid Audience / Missing Scope

  • 25 January 2023
  • 7 replies
  • 92 views

Userlevel 5
Badge +5
  • Thinkwise Local Partner Brasil
  • 218 replies

Hi. I have been fiddling around with getting a token for the Microsoft Graph API. 

I want to read an email box from a fixed user and use it in an application. So I went to the AD portal, registered the App et cetera.  

  • When I use the v2 oauth URI's then I get an error :
  • "invalid_request
    AADSTS90014: The required field 'scope' is missing from the credential. Ensure that you have all the necessary parameters for the login request.
  • When I use the v1 oath URI's then I get a token, but whenever I try to request a resource I always get the message:
  • "message": "Access token validation failure. Invalid audience."

I really don't understand what is the solution. 

How should I set this up?

icon

Best answer by Freddy 25 January 2023, 12:43

View original

7 replies

Userlevel 5
Badge +2

@Freddy Are you trying to get it working from within Thinkwise or something like Insomnia/Postman at this stage?

If from within Thinkwise: we have it working for a while now, and while reviewing our IAM I happen to notice that the Scope and Prompt columns of the table gui_appl_oauth_server are no longer visible in IAM (2022.2). Normally you could set the Scope there. Alternatively you can set the Scope in the OAuth login connector input parameters. Most likely the Scope should at least contain offline_access and potentially openid. I presume you have the Microsoft documentation at hand: https://learn.microsoft.com/en-us/graph/auth-v2-user

@Dick van den Brink Is it on purpose that those fields are no longer visible in IAM?

 

Userlevel 4
Badge +1

@Arie V , I tried opening an old IAM 2021.2 and 2022.1 but in both cases the scope and prompt was not visibile in IAM on that screen. I don't know if anything changed in this area recently. 

 

@Freddy, did you see the documentation here about connecting to the graph api: link.

It would be good to know if you configured Delegated permissions or Application permissions on your App Registration.
The question from Arie is also very good (Thanks Arie!). 

 

Userlevel 5
Badge +2

I see where I might have gotten confused. We did set the Scope and Prompt setting in the SF (Project > Project versions > OAuth servers) and only touched IAM for the Client ID and Secret override so far.

Still interesting why those two options cannot be overridden in IAM though. @Mark Jongeling Would you happen to know why those fields are not available in the GUI?

 

@Freddy I see that the Thinkwise documentation on OAuth servers does not mention anything about Scope, so let's hope the simple solution for you is to indeed add a Scope value there.

@Dick van den Brink Might be worth updating the docs accordingly.

Userlevel 5
Badge +5

@Arie V @Dick van den Brink I got it working using that document link with direct application access so that will help me for now. But I would like to have as follows:

I would like the delegated option in combination with Self-Service, for this reason I was trying the oath server settings in the SF and there I got these errors.. and I noticed it didn't get me the consent popup. 

Any tips on this?   

 

 

Userlevel 5
Badge +2

@Freddy This blog from Dick (and my various comments below it) might help you get the Delegate option working.

Are you using the Universal GUI or the Windows GUI? The OAuth Login connector with the Consent pop-up screen does not yet work in the Universal GUI. Instead we use Insomnia to perform the initial login and get the Authorization and Refresh token. We added those manually in our Application and use the Authorization token in a Process Flow with a regular HTTP Connector.

In addition we use a separate Refresh process flow to update the tokens every 29 minutes, instead of a combined process flow as used in the Blog.

I see that my reference to an Insomnia screenshot from Vincent in one of my comments no longer works. Herewith a screenshot from my Insomnia. We use the MS Graph API specifically for a scenario to send notifications to MS Teams, therefore the Chat.Create and ChatMessage.Send values are included in the Scope.

 

EDIT: the above solution works for us, as we only have a single ‘Automation’ user from which we send those Teams notifications. Due to the lack of support of the OAuth login connector in Universal GUI it is not yet very feasible to have regular end users grant permissions and work with the MS Graph API. According to the latest Universal GUI Release Notes support for this Process action is to be expected with the next Release.

Userlevel 5
Badge +5

Thanks @Arie V ! 

I'll first make it work with the direct access and then hopefully when Universal supports the oauth login connector I can change it to a self-service scenario.  

Userlevel 5
Badge +4

The upcoming Universal release will offer support for the OAuth connector, which hopefully make this a lot easier for you guys.

This release is expected to be released tomorrow as a beta release versioned as 2023.1.12-b1.

Reply