Office 365 OneDrive REST API - "invalid_client" - rest

I'm trying to make a call to the new Office 365 File REST APIs. (As explained here).
I'm using Postman rest client to send the request.
I have registered my application in Azure AD and given it full permissions to 'Office 365 SharePoint Online'.
I can successfully get an authorization token using the clientId generated in Azure AD.
However when I attempt to list files, using the access token I get an error.
------------------
RESOURCE HTTP GET:
------------------
URL: https://<OUR_DOMAIN>-my.sharepoint.com/personal/<user_domain>/_api/Files
HEADER: Authorization: Bearer <access token>
Response:
3001000;reason="There has been an error authenticating the request.";category="invalid_client"
What can cause this issue?

Not sure what steps you've tried to use to resolve this, so it's hard to help you out here. I've just finished writing up more detailed instructions on the steps to register an app to call OneDrive for Business. It's long and complicated right now, but we're working to make things better in the future.
You can check out the details of how to do auth here: https://dev.onedrive.com/auth/aad_oauth.htm
Make sure you aren't asking for too many permissions, since that will require your app to be authenticated by an admin instead of the end user. For most apps, you can just use the "My files" permission scopes which can be accepted by the user of your app directly.
If you post more information about what calls you're making, responses, and app configuration in AAD I might be able to help more.

You may have been using different resources.
Check whether the resource which you have used for getting access token is same as which you are requesting for getting files.
for example :
If the resource which you have mentioned while requesting access token be :: "https://tenant-my.sharepoint.com/"
Then you need to make request on the same resource for accessing files :: "https://tenant-my.sharepoint.com/_api/v2.0/drive/root/children"
The above request give list of root children.
tenant --> domain name which was registered to your organisation.
Follow this documentation for further accessing the api

Related

Microsoft Graph API: Getting ErrorAccessDenied for multi-tenant application with application permission

I'm writing a daemon app for my customers (multiple tenants) who are using outlook.
I'm using 2 application permissions that need admin consent - Mail.ReadBasic.All and
User.Read.All. my app first needs to read all the users' ids, then get all the metadata of their emails.
I've created a new tenant with office365 to test this, let's call it - test, and sent a couple of emails between 2 users.
So, at first, I'm redirecting the admin of the test org to the adminconsent endpoint, where he/she is granting application permissions to my app. This is the URL I'm using:
https://login.microsoftonline.com/organizations/v2.0/adminconsent?
client_id=<the app ID>
&state=<some state>
&redirect_uri=<my redirect URL as written in the app configuration>
&scope=https://graph.microsoft.com/.default
After calling this endpoint I can see my app listed in the test org under the Enterprise applications and can see the relevant permissions were granted by an admin.
Since I'm not getting a code from this flow (needed for the oAuth2 authentication flow), I then need to ask the admin to login again. I'm using this URL for that:
https://login.microsoftonline.com/organizations/oauth2/v2.0/authorize?
client_id=<same app ID>
&response_type=code
&redirect_uri=<same redirect URL>
&scope=https://graph.microsoft.com/.default+offline_access+openid+profile
&state=<some state>
After the login is successful I'm getting a code back to my redirect URL and after another request, I'm getting an access token. Using this access token I'm trying to access any of the following APIs:
https://graph.microsoft.com/v1.0/users
https://graph.microsoft.com/v1.0/users/user-id-of-user-in-test-org/messages
But I'm getting ErrorAccessDenied with a message: Access is denied. Check credentials and try again.
Further information:
I'm using python and the MSAL package to build the app (using the class - ConfidentialClientApplication) and the URLs for the authentication flow (but not for the adminconsent endpoint, as I couldn't find out how to do it)
Do you know what I'm doing wrong? I'm losing my mind over this... :(
This page should describe everything you need:
https://learn.microsoft.com/graph/auth-v2-service
The admin consent URL should be specific to the customer's tenant. You can use the word common if you want to allow signing into any tenant.
https://login.microsoftonline.com/{tenant}/adminconsent
You also must URL encode the redirect_uri param (and all other params). For some reason the example in that document is not URL encoded, but the value here must be URL encoded. You should see no colons, slashes, ampersands, etc. for this parameter.
For a different example that requests specific scopes for admin consent (instead of the default which is all the scopes you listed during your AAD client app registration) see https://learn.microsoft.com/azure/active-directory/develop/v2-admin-consent.
You will receive a callback to the redirect URI to indicate everything worked. This includes the tenant ID that granted you admin consent.
After that you initiate a separate token request call for the tenant ID, your application client ID and a specific requested scope. This will then return an appropriately scoped access token which you can use directly in all API calls. You can do this like so: https://learn.microsoft.com/azure/active-directory/develop/scenario-daemon-acquire-token?tabs=python#acquiretokenforclient-api
# The pattern to acquire a token looks like this.
result = None
# First, the code looks up a token from the cache.
# Because we're looking for a token for the current app, not for a user,
# use None for the account parameter.
result = app.acquire_token_silent(config["scope"], account=None)
if not result:
logging.info("No suitable token exists in cache. Let's get a new one from AAD.")
result = app.acquire_token_for_client(scopes=config["scope"])
if "access_token" in result:
# Call a protected API with the access token below.
print(result["token_type"])
else:
print(result.get("error"))
print(result.get("error_description"))
print(result.get("correlation_id")) # You might need this when reporting a bug.
Hope that helps. The article above has all the details.

How to consume the RSA Archer REST API to fetch Report?

Unable to retrieve ANY data when I try to fetch simple content from Archer via REST API calls through Postman or Mule.
1. Is URL below correct? What am I missing?
2. How to get Reports via Archer REST API i.e what API resource to use.
Have seen the Archer REST documentation but do not find it clear enough.
Have tried GET & POST, with Authorization configured, through Postman:
https://hostname/platformapi/core/security/login https://hostname/platformapi/core/content/123
https://hostname/RsaArcher/platformapi/core/content/123
I get 'Unauthorized: Access is denied due to invalid credentials.' error although I am told to have access.
Please suggest proper API call/path to be used and if any specific settings is to be made to retrieve data?
Archer version: 6.5
Note: Through POSTMAN and Mule, I have successfully consumed REST API from other secured applications. Struggling with Archer.
Thank you.
The documentation for Archer REST API was mentioned in a previous answer and seems to require a login into their site: https://stackoverflow.com/a/38511131/721855
This KB article shows examples on how to use the API from Powershell: https://community.rsa.com/docs/DOC-45643. It should be easy to adapt to Postman, Mule or whatever other language/tools.
I recently had the same issue. The company had anonymous authentication disabled on the api directory. The user account running postman must have access to the api directory. If you are still getting a 401, see if you anonymous access can be enabled to rule out other non-access related issues. If you are able to generate a security token when calling core/security/login when anonymous authentication is enabled, then you know the issue is that your account did not have access to the api directory. If you are not able to make the request successfully with anonymous authentication enabled, then you know the issue is likely with the way you've structured your REST call. Hope this helps!
Authentication to any Archer API is two step process. First you have to call an authentication resource or method. That will return a session token. You must then add that token to the request headers for subsequent requests. Your header would look something like this:
Authorization: Archer session-id=439C730FF83F68EFDC017ED705D9908E
Without this header, you'll get a 401 for any request other than an authentication request.

Access Denied while accessing SharePoint Custom List Using Rest APIs via POSTMAN

From couple of days, I am trying to access Custom made SharePoint Online List for CRUD Operation with the help of Rest APIs Endpoints using Postman, but all the time i am getting Access Denied Response in body.
I have got OAUTH Access Token with the help of Client Id, Client Secret, & Bearer Realm Token. I am also sending Access Token in Header, also i am given FULL-CONTROL Permission level by the SharePoint Admin.
Hope you got my point. Please let me know for any further Issue clarification.
Note :
List of Rest URL Endpoints I can Access are given below :
http://YourSite.sharepoint.com/_api/site/rootWeb/webinfos
http://YourSite.sharepoint.com/_api/web/lists
List of Rest URL End-Points I am not able to Access are :
http://YourSite.sharepoint.com/_api/web/lists/getbytitle('ListName')
http://YourSite.sharepoint.com/_api/web/lists/lists/getbytitle('listname')/items
THANKS IN ADVANCE

Single resource URI to get access token to do SSO and use Files, Calendar API

We are building a Front End Application which uses Azure AD APP to do single sign-on with Office 365.
To get Access Token using OAuth authentication process, we need to pass resource URI which can be
xyz.sharepoint.com -- to integrate with SharePoint site collections
xyz-my.sharepoint.com -- to integrate with OneDrive for business
outlook.office.com -- to integrate with outlook graph.windows.net --
graph.windows.net -- to use graph API for any search.
But to finish the single sign-on process, we need to fetch the user profile information at least email id is required. We were integrating with Onedrive for business in our Front End application.
So to get the user email, I can not get this information if I get the access token using resource xyz-my.sharepoint.com. I have to use xyz.sharepoint.com or graph.windows.net. So for our requirement, we have to fetch access token for 2 resources. It does not seem right, we had to maintain these access tokens along with refresh tokens to make these access tokens active.
Is there any other way to get an access token which can be used for all office 365 services OneDrive, Calendar, Mail, Outlook and Sharepoint?
Regards,
This is exactly the problem the Office 365 Unified API attempts to solve:
https://msdn.microsoft.com/en-us/office/office365/howto/office-365-unified-api-overview
Please take a look at the MSDN page above and let me know if you run into any issues integrating with the Unified API.
I hope this helps!
Shawn Tabrizi

SharePoint Error using Office 365 REST API OAuth access_token

I am developing a rather simple application that retrieves files from SharePoint using the REST Office 365 API. This is a batch job running in the background with no user interface so the following simple 2-step flow is what I'm doing:
(1) Requesting an Access Token from Azure AD (supplying client ID, client secret, resource, and grant_type=client_credentials)
(2) Invoke the SharePoint API (https://{base url}/_api/v1.0/Files) using the "Authorization: Bearer " as a request header .
That process seems pretty straightforward and sounds simple but I keep getting the following error:
401 Unauthorized
x-ms-diagnostics: 3001000;reason="There has been an error authenticating the request.";category="invalid_client"
Any idea what the problem is and how this can be resolved ? I have been stuck on this for days now. I would REALLY appreciate somebody's help with this. Thanks.
SharePoint Online doesn't yet support clients accessing it using app-only tokens (resulting from client credential OAuth2 flow). It only supports delegated token aka user+app tokens (resulting from authorization code OAuth2 flow).
So, if you wish to write a client application (web app or native client app) that accesses SharePoint online - it can only be on behalf of a user, and it must involve interactive authentication of the user - after the user authenticates - they will be shown a consent page where they need to consent to your application accessing the O365 API on their behalf.
Only Mail/Calendar/Contacts APIs (Exchange Online) support clients accessing them using app-only tokens - and they have turned on this support very recently. Read about client credential flow tokens with Exchange Online APIs here: http://blogs.technet.com/b/ad/archive/2015/02/04/using-azure-ad-to-build-daemon-applications-that-call-office-365-apis.aspx, http://blogs.msdn.com/b/exchangedev/archive/2015/01/22/building-demon-or-service-apps-with-office-365-mail-calendar-and-contacts-apis-oauth2-client-credential-flow.aspx
Hope this helps.
ps: OAuth2 client credential flow doesn't issue a refresh token
You will need an access token for the specific resource you are trying to access - in this case your sharepoint site for the Office365 REST Apis.
A good read on this can be found here: https://msdn.microsoft.com/en-us/library/azure/dn645538.aspx
Assuming your {base_url} is a sharepoint site, i.e., 'https://[site_name]-my.sharepoint.com
You can either:
(1) Initially get the access and refresh tokens using your client credentials plus a resource = {base url}
or
(2) Once you have the access and refresh token from the Azure AD resource, make a refresh_token call using:
client_id
client_secret
grant_type = 'refresh_token'
resource = {base_url}
refresh_token = [refresh token received from Azure AD
generate token response]
In this case you'll have 2 access tokens:
one that can be used for Azure AD requests
one that can be used for Office365 REST Api requests.
We could not/have not found a way to have a single access token be 'valid' for more than 1 resource.
Hope this helps!

Categories