OneDrive/SharePoint OAuth invalid audience error -
my goal write code enable office 365 user access files in onedrive business via rest api. have registered application in azure ad (web app/multi tenant) , added permissions access sharepoint online. want use "delegated user identity oauth" scenario app accesses onedrive business via rest apis using user impersonation.
the permissions in app's manifest this:
"oauth2permissions": [ { "adminconsentdescription": "allow application access appname on behalf of signed-in user.", "adminconsentdisplayname": "appname", "id": "xxx", "isenabled": true, "origin": "application", "type": "user", "userconsentdescription": "allow application access appname on behalf.", "userconsentdisplayname": "appname", "value": "user_impersonation" }
the app requests (onedrive business) user log office365 authorization code (sent registered redirect url) , use retrieve access token (via post app's token endpoint). "aud" field in returned jwt set client id. should "00000003-0000-0ff1-ce00-000000000000" instead sharepoint online ?
when try issue @ https://{tenant}-my.sharepoint.com/_api/v1.0/me/ using access token bearer in header of request, error 401: "error: invalid client", "error: invalid audience uri:https://{tenant}-my.sharepoint.com/". points configuration error somewhere cannot figure out needs change.
aud = audience of token. when token issued client application, audience client_id of client. might want try using discovery service api check service endpoints (https://msdn.microsoft.com/en-us/office/office365/howto/discover-service-endpoints) . there error shows audience uri invalid service might not running on url making call (i.e. https://{tenant}-my.sharepoint.com/_api/v1.0/me/). following link above should isolate problem. hope helps.
Comments
Post a Comment