AADSTS5002710: Invalid JWT token: header is malformed

Asked 6/1, 2021 at 16:51 Answered 12/5, 2023 at 21:31

Solved azure-active-directory jwt azure-ad-graph-api send-on-behalf-of

I am trying to implement the "On-Behalf-Of" flow between my Client (ReactJS), Express + Node.js server (API), and Microsoft Graph.

So far I have requested an accessToken from microsoft (Client), and have made a request to my API.

I have ran into the error "AADSTS5002710: Invalid JWT token: header is malformed." when I try to make an Axios post request from my API to https://login.microsoftonline.com/tenantID/oauth2/v2.0/token

Full Error:
{ error: 'invalid_request', error_description: 'AADSTS5002710: Invalid JWT token: header is malformed.\r\n' + 'Trace ID: 068a382b-6f83-40f6-b1b1-7134223f4500\r\n' + 'Correlation ID: f46a2c03-84e8-46b3-b9d6-467174befa0b\r\n' + 'Timestamp: 2021-01-06 16:26:40Z', error_codes: [ 5002710 ], timestamp: '2021-01-06 16:26:40Z', trace_id: '068a382b-6f83-40f6-b1b1-7134223f4500', correlation_id: 'f46a2c03-84e8-46b3-b9d6-467174befa0b' }

The body of my request is according to the tutorial "https://learn.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-on-behalf-of-flow".

I am constantly getting the error above as the result from microsoft online servers.

I have made the original (Client) request with my own custom scope
api://54ee17f...cfe06/Access.Test

Helotism answered 6/1, 2021 at 16:51 Comment(1)

I had "assertion=Bearer {accessToken}" instead of just having "assertion={accessToken}", removing the "Bearer " fixed the problem. – Helotism 7/1, 2021 at 9:20

I follow the tutorial to use On-Behalf-Of flow in Postman. But it works well.

My steps here:

Add API permission of Web API B to Web API A

Request Web API A to get access token(assertion of next step) with auth code flow

GET

https://login.microsoftonline.com/{tenant}/oauth2/v2.0/authorize
?scope={like api://1108f6-xxxxxxx-9f622/test} openid
&redirect_uri={redirect_uri of Web API A}
&nonce=123
&client_id={client-id of Web API A}
&response_type=id_token token

Request Web API B to get the access token for Microsoft Graph API

POST

https://login.microsoftonline.com/{tenant}/oauth2/v2.0/token
grant_type=urn:ietf:params:oauth:grant-type:jwt-bearer
&client_id={client_id of Web API B}
&client_secret={client_secret}
&assertion={access token from previous step}
&scope=https://graph.microsoft.com/user.read offline_access
&requested_token_use=on_behalf_of

Call Microsoft Graph API, like GET https://graph.microsoft.com/v1.0/users.

You could decode your access token(assertion) in https://jwt.io/, and check the HEADER.

Joellejoellen answered 7/1, 2021 at 7:47 Comment(1)

Thanks Pamela, this makes it much clearer for me to understand. The problem was that I had "Bearer {accessToken}" as my assertion which was causing errors. Once I removed that it is now working as expected. Thanks again. – Helotism 7/1, 2021 at 9:18

The answer above is absolutely correct. I don't have enough reputation to comment but I've been spinning my wheels on this for a while and this is only response I seen out there to make any sense of this.

For folks who are working on microsoft custom outlook addins and trying to do SSO. You will find their access token they give you even though it should work for graph does not. You must use that token to then authenticate on backend to get a different access token that the server makes a graph call on behalf of that user. The explanation of how to do this in the answer above is exactly everything you need. If you are like me and built the add-in with no server backend you can just make an azure function or logic app workflow to make the graph call as the user.

Fortna answered 12/5, 2023 at 21:31 Comment(0)

Recommended topics

Hot tags