2

I've registered an native app on Azure Active Directory and given all permissions for Graph and OneNote APIs, obtaining tokens succesfully on behalf of users using username and password credentials. I've been able to create and update notebooks and perform other actions on graph using those tokens, but they suddenly stopped working despite no changes to the code making those requests.

I can still do other changes such as creating list items on SharePoint, but any action regarding OneNote notebooks result in 401 with the following response:

{
  "error": {
    "code": "40001",
    "message": "The request does not contain a valid auth token.",
    "innerError": {
      "request-id": "472a74fd-c050-495a-9ec3-04d1ec3c4461",
      "date": "2018-06-26T20:49:28"
    }
  }
}

I've confirmed the app registration has every permission on both Graph and OneNote APIs

I've confirmed tokens are being requested for the correct resource. In fact I was using Graph, switched to the OneNote API after this problem showed up on Graph, and after a while the same problem happened on OneNote API as well.

I've tried using .NET ADAL AuthenticationContext.AcquireTokenAsync(resource, ClientId, userCredential) or making the request directly to https://login.windows.net/{tenantId}/oauth2/token with the following body and both had the same result

"resource=" + resource
                + "&client_id=" + ClientId
                + "&grant_type=password"
                + "&username=" + Username
                + "&password=" + Password
                + "&scope=openid";

I've tried accessing a notebooks from a SharePoint site open to all users on the tenant and got the same issue, I've tried creating OneNotes on the user personal onedrive and got the same issue, so it's not an issue of the user not having access to the notebook

So, I've made a few dozens of thousand calls on Graph API, then this problem showed up. Another few dozens of thousand calls on OneNote API then this problem showed up. Any ideas of what could be going on? Is there a limit to the number of actions regarding OneNotes that can be made in these APIs?

EDIT : There's two other things I've discovered that are worth mentioning. The first is that the Graph Explorer was still working normally even while my tokens weren't. I assume the explorer uses authorization code flow to get tokens on behalf of users while I'm using username/password, so the username/passwords authorization flow probably has something to do with the issue. The second thing is that today the Graph API is once again working for OneNote endpoints, which means my app has likely been locked out of making OneNote actions for a time period (24h maybe?)

Janilson
  • 1,042
  • 1
  • 9
  • 23
  • Hi Lucas, I am an engineer from the OneNote team. I don't think you are doing anything wrong here and would love to debug this with you - could you request help here so we can start a conversation? You cal title it "Problem making call to OneNote API" and paste the contents of this question as description. https://aka.ms/onenotesupport – Jorge Aguirre Jun 26 '18 at 22:34
  • Please let me know once you've done this so we can start debugging. – Jorge Aguirre Jun 26 '18 at 22:38
  • @JorgeAguirre Thanks Jorge, I've requested help on that link. However the description has a short character limit so I've made a short description of the issue with the link to this question copy pasted for more details. Also, check the edit on my question as I've found out two new things that are likely to help finding the cause of the issue – Janilson Jun 27 '18 at 14:43
  • It sounds like you were being throttled, although that message implies that you were missing the `Authorization` header in your request. OneNote does throttle/limit your app to 5 concurrent connections. Can you please include the code you're using? An HTTP trace from Fiddler would also be helpful. – Marc LaFleur Jun 27 '18 at 15:34
  • Lucas, I've replied to you in the helpdesk discussion. This wasn't exactly throttling, but it was something very similar. We've changed our service so that the throttling happens less likely and so that if it does happen, you get a clear error code (not the same as authentication error) – Jorge Aguirre Jun 27 '18 at 23:52

1 Answers1

0

This also happened to us, I have modified the authentication to below and this authenticates successfully. 

$body = "grant_type=client_credentials&client_id=CLIENTID&client_secret=CLIENTSECRET=&resource=https%3A%2F%2Fonenote.com%2F"

$auth = Invoke-RestMethod -Uri 'https://login.microsoftonline.com/TENANTNAME.onmicrosoft.com/oauth2/token' -Body $body -Method post -ContentType application/x-www-form-urlencoded
$accesstoken = $auth.access_token

Just make sure the client id is encoded as it will throw an error if not.

Alex P
  • 45
  • 5