Resource parameter when requesting access token?

microsoft-graph-api
twbbas picture twbbas · May 3, 2017 · Viewed 8.1k times · Source

I'm following this guide to authenticate with Microsoft Graph. I am able to successfully do the first request (for an authorization code) but am having issues with the second request (requesting an access token).

Params for the second request (for access token):

client_id: <my id>
client_secret: <my secret>
code: <authorization code returned from first request>
redirect_uri: http://localhost:8080/Callback
grant_type: authorization_code
scope: https://graph.microsoft.com/user.read

Error from second request:

{
  "error": "invalid_resource",
  "error_description": "AADSTS50001: Resource identifier is not provided.\r\nTrace ID: <my trace id>\r\nCorrelation ID: <my correlation id>\r\nTimestamp: 2017-05-03 15:25:42Z",
  "error_codes": [
    50001
  ],
  "timestamp": "2017-05-03 15:25:42Z",
  "trace_id": <my trace id>,
  "correlation_id": <my correlation id>
}

However, my request works fine (returns a bearer and refresh token) if I add this extra parameter:

resource: https://graph.microsoft.com/

I don't see this resource parameter mentioned anywhere in the docs except the example under Getting an access token on this page.

My questions are:

  1. Why am I getting the above error when my request seems to match the documentation?
  2. When do I need to include the resource parameter?

EDIT: See Marc's answer below and my comment response.

Turns out I was using the following URLs:

https://login.microsoftonline.com/common/oauth2/authorize https://login.microsoftonline.com/common/oauth2/token

when I should have been using:

https://login.microsoftonline.com/common/oauth2/v2.0/authorize https://login.microsoftonline.com/common/oauth2/v2.0/token

After using the ones with v2.0, I didn't need to include my resource parameter in the token request anymore.

Answer

Marc LaFleur picture Marc LaFleur · May 3, 2017

It looks like your providing the correct properties but not in the correct format. To get the token you need to issue a POST this data formatted for application/x-www-form-urlencoded to https://login.microsoftonline.com/common/oauth2/v2.0/token. From your example, it looks like your sending your data as JSON rather than x-www-form-urlencoded.

POST URL: https://login.microsoftonline.com/common/oauth2/v2.0/token
POST HEADER: Content-Type: application/x-www-form-urlencoded
POST BODY: grant_type=authorization_code&code=[AUTHORIZATION CODE]&
           client_id=[APPLICATION ID]&client_secret=[PASSWORD]
           &scope=[SCOPE]&redirect_uri=[REDIRECT URI]

I wrote up a Microsoft v2 Endpoint Primer a few months back that might help walk you through the procedure.

Related questions

Microsoft Teams : REST APIs

I'm interested in getting data (metadata and content of files) out of Microsoft Teams into my application using REST APIs. I have looked at Office 365 APIs and Graph APIs but, I could not find supporting documentation for Microsoft Teams.

Read More
How to resolve a "Transient error" from Microsoft Graph API?

I am building an app for a client using the Microsoft Grap API and when I log in with a particular account I get this error: Request Id: d300b62e-e0a5-4f62-9957-1cc10fd42800 Correlation Id: …

Read More
AADSTS70011: The provided value for the input parameter 'scope' is not valid

So I have a scenario wherein the application should add users to a group on certain conditions. Also when the application starts running users should not be asked to login their microsoft id/pwd. So I access the token I …

Read More