Unable to use access_token aquired from logged in your session id_token to consume graph API to get current user photo

Question

As stated, tried to use access_token acquired from user session id_token. But when trying to use the access token it's giving below error message.

{

"error": {

"code": "InvalidAuthenticationToken",

"message": "CompactToken parsing failed with error code: 80049217",

"innerError": {

  "request-id": "<>",

  "date": "2020-02-11T15:46:32"

}

}

}

Here is the Graph API URL I tried to pass the access token as a authorization header

https://graph.microsoft.com/v1.0/me/photo

But, the same graph API URL is working when tried from Microsoft graph explorer.

Appreciate any help.

Thanks

Answer 1

How did you get the ID_Token? What are the claims in the id token? You can decode JWT Tokens here : https://jwt.ms/

It's most likely not the access token. You probably followed the auth code flow and got an id token back an auth code, but the access token is different. This is retrieved from the token endpoint. In addition to that, trying to skim the token from the browser's graph explorer is not a vaild way to get an access token.

Please follow a proper authentication protocol with a client id and client secret to get a proper access token. For more information on this see the below docs/

For more information on how this flow works see :

https://learn.microsoft.com/en-us/azure/active-directory/azuread-dev/v1-protocols-oauth-code

https://learn.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-auth-code-flow

An easy tutorial on how to get an access token and make a call to the Microsoft Graph API can be found here : https://learn.microsoft.com/en-us/archive/blogs/aaddevsup/using-postman-to-call-the-microsoft-graph-api-using-authorization-code-flow

Answer 2

Dear @FrankHu-MSFT

Thanks for your reply.

And you are correct. I got the id_token with the end user authentication.

Now, I would like to get my photo from graph API. For that I need an access_token (which is authorized to call Graph API).

I know that I can get the access token directly by providing client id & client secret. And I tested also. But, that will not get my photo from Graph API URL https://graph.microsoft.com/v1.0/me/photo/$value

Question is that how can I acquire access_token from my user session or id_token?

Thanks in advance.

Thanks
Siva

Answer 3

Same problem.

In my browser, I paste:
https://login.microsoftonline.com/consumers/oauth2/v2.0/authorize?client_id=CLIENT_ID&response_type=token&redirect_uri=https://login.microsoftonline.com/common/oauth2/nativeclient&scope=onedrive.readwrite

I got back:

https://login.live.com/oauth20_desktop.srf?lc=1033#
access_token=ACCESS_TOKEN
&token_type=bearer&expires_in=3600&scope=onedrive.readwrite
&user_id=USER_ID

I'm now trying to paste the following in the browser:
https://graph.microsoft.com/v1.0/me/drives&access_token=ACCESS_TOKEN

Is this the correct param name? access_token? I can't find in the docs what I should type, but I've tried several things.

Response:

{
  "error": {
    "code": "InvalidAuthenticationToken",
    "message": "Access token is empty.",
    "innerError": {
      "date": "2020-12-28T00:46:50",
      "request-id": "b6fc7905-c2c6-4fd8-9ecd-627b20552875",
      "client-request-id": "b6fc7905-c2c6-4fd8-9ecd-627b20552875"
    }
  }
}