Invalid Audience URI error Service to Service application, onedrive for business

Question

I am attempting to retrieve files from an Office 365 for Business account.

Following instructions here:

https://msdn.microsoft.com/en-us/library/azure/dn645543.aspx

I have been able to successfully obtain an Access Token for my application.

However, when I attempt to use the token to make API Calls, I receive the error

"https://[tenant redacted]-my.sharepoint.com/_api/v2.0/drive/ - 401: {"error":"invalid_client","error_description":"Invalid audience Uri 'http:\/\/[redacted]-spreadsheet-test-webapi.[tenant url redacted].com\/'."}

My call to the sharepoint URL is a simple GET request with the headers set as follows:

  headers = {
                'User-Agent' : 'python_tutorial/1.0',
                'Authorization' : 'Bearer {0}'.format(access_token),
                'Accept' : 'application/json',
        }

I have confirmed the Resource URI I am using matches the App ID URI in the Active Directory configuration, and I have delegated the appropriate sharepoint permissions (Read and write items in all site collections, Read and write user files) to the application.

I have been trying various API endpoints, different "Resource" parameter values, and re-read various documentation multiple times.

I also was able to make requests via the Graph API, however it does't have the functionality (access/update files in a users onedrive) that I need.

Not sure what I'm missing, any help would be appreciated.

Answer 1

I Had the same issue.

I use OneDrive for business API (and not office 365 management API) to download\upload files, This means the resource parameter you provide while retrieving access token should be:

https://[tenant redacted]-my.sharepoint.com

Please try to open the access token (which is in JWT format) with a JWT decoder, to verify the audience (I used online JWT decoder to do so, the parameter you look in the under payload is aud) is what you are expecting.