Login/Register
Office 365 v2 API Authorization code is malformed or invalid
Asked Answered
Solved azureoffice365office365-restapiazure-ad-graph-apiadal4j
C

1

1

I've the following auth code copied from the browser for a user who granted our app to use their Office 365 email. 

code=OAQABAAIAAADRNYRQ3dhRSrm-4K-adpCJ3J3UJ8GyC2qJDvNhlrUAObjph6sQ3A9waeQ5Tr-DA6WzxCdFbvadCRJw2S4a_lwA7MyelZWAPQZOlaB_X_1165CbmTXJMGioU6Cr0DhVTUzIlUv_-Svjp8DBrLVCxcDp5rJMM5mDNR0iGysuDIozWnOaPqCOl35NxPzyktrYK6D1MBptmXOPbhS-stTZXbHJr9gGE3FHzMU0XANXmTm30q4SPaoWPch-S1uFFL4xwS2oUv-lELBdcfIGh5UJBSraabGihVWUnbwBhh8eURSMRwryi7kubUcq0D27S-vIVZhtKopemQ1njAcExO58S7EgAyqbIzMxvmBXBe0X1ieVrcyHYRpt4ZAq1Z4v5HLTrYhx5fGp6AkqhV09yri3bqXaZvw5R1hKuhAbRDt_isZn_L8ZEhfwnqICGUwpDU27c6Qd1txuiOVY90a4BiAUh1M1u5gjDx8nIE88R7S915w7mUjJtCzZuTKQavve8q8UOtm9udUvBOX1f-bYslpgiIRbdSYBYlP9UrbreLS1W6OFk2NX-uqp9mabyImvvj1RUm166qV6uc9hsuhzrfErDURC17JotuQBSWYauAvb38p5B-cDbsCZafpyORlbrWsYyQcdWwUPL0aOZEQXFW-v3gDw7Xri_9hvsiHrj10NTaaozqm1QpZmMf-SHJ0yF9wBWKYgAA

Application works without a problem if we are using Microsoft Graph REST API v1 but the following problem happens when using version 2. It is registered with delegate permissions that grants us Read, Write/Send permission which work fine with V1 of the application.

For V2: authority =https://login.microsoftonline.com/common/oauth2/v2.0/token and to retrive auth code I use the following url

https://login.microsoftonline.com/common/oauth2/v2.0/authorize?client_id=30..7&response_type=code&scope=mail.read&redirect_uri=https://myurl:8443/controller/saveToken

Code block causing the issue:

 @Override
    public AuthenticationResult getToken(String authCode) {

        ExecutorService service = Executors.newFixedThreadPool(1);
        OfficeCredentials credentials = getCredentials();

        try {
            AuthenticationContext context = new AuthenticationContext(credentials.getAuthority(), true, service);
            final Future<AuthenticationResult> resultFuture = context.acquireTokenByAuthorizationCode(
                    authCode, new URI(credentials.getRedirectUri()), new ClientCredential(credentials.getClientId(),
                            credentials.getClientSecret()), credentials.getResourceUrl(), null);

            return resultFuture.get();//throws exception

        } catch (URISyntaxException e) {
            logger.error(e.getMessage());
        } catch (MalformedURLException e) {
            logger.error(e.getMessage());
        } catch (Exception e) {
            logger.error(e.getMessage());

        }

        return null;

    }

Exception when resultFuture.get() is called

java.util.concurrent.ExecutionException: com.microsoft.aad.adal4j.AuthenticationException: {"error_description":"AADSTS70000: Transmission data parser failure: Authorization Code is malformed or invalid.\r\nTrace ID: c37b4aba-c5fb-44f3-815c-dd798072095d\r\nCorrelation ID: e190ccd2-f98a-440c-8e79-69cfcead3c04\r\nTimestamp: 2017-02-06 17:53:30Z","error":"invalid_grant"}

I don't know what I am doing wrong as I am trying to migrate to v2. redirect_uri is same as defined in azure and it is HTTPS. I already made my local env't accept HTTPS by following this. FYI: I am using adal4 java library.

Cule answered 6/2, 2017 at 18:1 Comment(5)
Did you register a new V2 application for use on the V2 endpoint? To my knowledge, you cannot use the same app on the V1 and V2 endpoint.Juryrig
@ShawnTabrizi I created a new app for that purpose but where do you tell the app you are working with is v2 or not ?Cule
You can only register V2 applications using the App Registration Portal as noted here. You will see them under the application section called "Converged Applications" versus "Live SDK Applications", which are MSA specific apps, or "Azure AD only applications" which are V1 apps.Juryrig
Yes, that's what I did.Cule
I repeated the same procedure with a new app. No luck at all. It's just frustrating.Cule
G
2

At present, the adal4j library doesn't support the Azure AD v2.0 endpoint(refer here). Event we set the authority for the v2.0 endpoint, it still use the old one.

As a workaround, you may compose the HTTP request directly. Here is the sample request for your reference( refer here):

POST: https://login.microsoftonline.com/{tenantId}/oauth2/v2.0/token

client_id={clientId}&client_secret={clientSecret}&scope={scope}&code={authorizationCode}&grant_type=authorization_code&redirect_uri={redirectUri}

And if you want the adal4j library to support Azure AD v2.0 endpoint, you can submit the feedback from here.

Gene answered 7/2, 2017 at 7:28 Comment(9)
This works great but only brings back access token but no refresh token. Where do I get that info ?Cule
@Cule you need the offline_access scope to get a refresh token back.Ytterbium
Another problem now: I used the following command to get emails for a user who subscribed for v2 "curl -i graph.microsoft.com/v2.0/me/messages -H 'Content-Type: application/x-www-form-urlencoded' -H 'Authorization: Bearer token..." Now this replies back with invalid version. All the examples on Microsoft site use outlook.office.com/v2.0/me/messages so I gave this one a try and I reicieved a message saying we cant display this content. I am a bit lost on what to do on this.Cule
the url containes https even if SO removed it from the comment.Cule
More details on the user: User has Azure AD account on office.com so its a company email address.. I used the same email to register the app as well. So this user is not an out look user but same user which exists in the same AD.Cule
Second issue: for another email which is out of the same AD, I recieved the following auth code "M318eb27d-ef61-dea3-47a2-58e00dd5ab8b" which is somehow shorter than what I used to see... and I couldn't get access token for this person (returns BAD request). I could ask on a new thread but I just get frustrated for asking questions for every single issues as there is no reference I could look in to.Cule
@Fei Xue, Any thoughts on this ?Cule
There is only one release version(v1.0) and beta version for the Microsoft Graph. For the issue not able to get the access token, is there any detailed error message? In addition, for the new issue, I still suggest to reopen a new thread so that other communities who have same issue can recognize the issue and share their experience quickly.Gene
@Cule we offer dozens of code samples for help with Azure AD that may serve as a good reference. Try github.com/azure-samples and search for active-directory- and you'll get a bunch. Alternatively, to see the entire set of docs, go to aka.ms/aaddev.Ytterbium

© 2022 - 2024 — McMap. All rights reserved.