Making a MS Graph request with curl

Question

I am trying to do some MS Graph work using Perl/curl but ran into some problems. Brought the problem back to the most basic example I can come up with: 2 curl command from a bash scripts.

I have an APP_ID, APP_Secret and Tenant_ID. Those work just fine in a NodeJS script using Axios (which I do not want to use).

Getting the token:

curl -X POST -d 'grant_type=client_credentials&client_id=[APP_ID]&client_secret=[APP_SECRET]' https://login.microsoftonline.com/[TENANT_ID]/oauth2/token

This command result in a JSON (?) reply containing an access_token which I copy/paste in the following command:

curl -X GET -H "Authorization: Bearer [TOKEN]" -H "Content-Type: application/json" https://graph.microsoft.com/v1.0/groups

Which results in:

{"error":{"code":"InvalidAuthenticationToken","message":"Access token validation failure. Invalid audience.","innerError":{"date":"2023-01-20T11:12:55","request-id":"[request_id]","client-request-id":"[client_request_id]"}}}

This puzzles me. I've just gotten the access_token. Guess I'm doing something wrong, just don't know what.

Answer 1

Finally got the solution. Turned out I had forgotten 2 things in the token request header:

• the scope: https://graph.microsoft.com/.default
• the resource: https//graph.microsoft.com

Forgetting the scope was an "ow shit" experience. Should have known that. The resource had me going for a while. Found that here

Have put it together in te following bash script (learned about jq on the way)

#! /usr/bin/bash

 token=`curl \
    -d grant_type=client_credentials \
    -d client_id=[client_id] \
    -d client_secret=[client_secret] \
    -d scope=https://graph.microsoft.com/.default \
    -d resource=https://graph.microsoft.com \
    https://login.microsoftonline.com/[tenant_id]/oauth2/token \
    | jq -j .access_token`

curl -X GET \
    -H "Authorization: Bearer $token" \
    -H "Content-Type: application/json" \
    https://graph.microsoft.com/v1.0/groups \
    | jq .