10

Some users are getting this error back when trying to sign in using Microsoft Sign In in order to access mail via MS Graph. I've had both corporate users and personal (Hotmail.com) users both showing this error number but it works fine for most users.

This is the call:

https://login.microsoftonline.com/common/oauth2/v2.0/token

This is the error returned:

Code: InvalidAuthenticationToken
Message: CompactToken validation failed with reason code: 80049228

Any pointers? Where can I find a reference to this error number?

mike nelson
  • 21,218
  • 14
  • 66
  • 75

2 Answers2

1

This means the token expired and it need to be refreshed. If you want to refresh it without user interaction you'll need a refresh_token which is returned when you obtain a token initially.

Here is how you can refresh it:

function refreshTokenIfNeeded(tokenObj){
    let accessToken = oauth2.accessToken.create(tokenObj);

    const EXPIRATION_WINDOW_IN_SECONDS = 300;

    const { token } = accessToken;
    const expirationTimeInSeconds = token.expires_at.getTime() / 1000;
    const expirationWindowStart = expirationTimeInSeconds - EXPIRATION_WINDOW_IN_SECONDS;

    const nowInSeconds = (new Date()).getTime() / 1000;
    const shouldRefresh = nowInSeconds >= expirationWindowStart;


    let promise = Promise.resolve(accessToken)
    if (shouldRefresh) {
        console.log("outlook365: token expired, refreshing...")
        promise = accessToken.refresh()
    }
    return promise
}

Where tokenObj is the token object you store in your database. Make sure it also has expires_at or otherwise oauth2.accessToken.create() will create it and calculate from the current moment in time.

More details can be found in this tutorial and in this github repo (this is where the code above was taken from)

vir us
  • 9,920
  • 6
  • 57
  • 66
0

Found a Solution To This

In my case, I was refreshing the token before using the access_token with Microsoft Graph API even once.

Once you successfully call https://login.microsoftonline.com/common/oauth2/v2.0/token You will get a refresh_token and an access_token, my guess is that you have been refreshing the token before using the first access token from the URL mentioned above.

Steps to Fix:

  1. Call https://login.microsoftonline.com/common/oauth2/v2.0/token as you did before
  2. Copy the access_token from the response and use it at least once with your Microsoft Graph API
  3. Now you can copy the refresh_token (or once the access_token is expired) and exchange for a new access token
  4. Enjoy your API integration
  5. Smile :)

Reference:

  1. Microsoft Authentication (Tokens) Docs - Including Refresh Token
  2. OneDrive Refresh Token Answer
Stas Sorokin
  • 3,029
  • 26
  • 18