azure-active-directoryaccess-tokenaudiencetarget-audience

"error_description":"Exception of type 'Microsoft.IdentityModel.Tokens.AudienceUriValidationFailedException' was thrown."


we are trying to access a sharepoint api securely using azure oauth2. we got the bearer token but while accessing sharepoint rest api, we are getting Status code: 401 Unauthorized and Response: {"error_description":"Exception of type 'Microsoft.IdentityModel.Tokens.AudienceUriValidationFailedException' was thrown."}

  1. We have registered a client application in azure AD
    • a. Defined redirect uri in authentication
    • b. Mapped access roles to service user account
    • c. Defined client secret
    • d. Defined API permissions and admin consent has been provided

Token Endpoint: https://login.microsoftonline.com/66395830-4e70-4a10-8f30-225fe9afd23b/oauth2/v2.0/token

Method: POST Body parameters: scope:https://66395830-4e70-4a10-8f30-225fe9afd23b.sharepoint.com/.default redirect_uri:https://cscglobal.sharepoint.com/teams/uatCLSService/BusinessLicense/KB/_api/Web/lists grant_type:client_credentials ( note: we have also tried with password and authorization_code values by passing respective parameters ) client_secret:XXXXXX client_id:XXXXX


Solution

  • I think you may set the scope in a wrong way. As far as I know, it should be https://yourSite.sharepoint.com/.default or detailed scope, such as: https://yourSite.sharepoint.com/Sites.ReadWrite.All

    And now it is suggested to use Microsoft Graph API to manage your sharepoint site.

    It provides a unified programmability model that you can use to access the tremendous amount of data in Office 365, Windows 10, and Enterprise Mobility + Security.