delegated jwt token for microsoft graph api working only for my resources

Question

I'm following the microsoft documentation to acquire a user token: https://learn.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-auth-code-flow

I create an Azure AD Application and authorize several apis.
I generate the consent url and it returns an authorization code.
From this code, I request an Access token.

So far so good. Then I use the user access token and use it to make some Microsoft graph api calls. It is still working fine (I'm accessing Microsoft teams resources).

In a channel,there is a message that I have created and in which have copy/pasted an image. (The html content shows that the image has been stored into my personal onedrive.) I can read the image and download it programmatically. The problem happens when a colleague creates a message that contain an image that he copied / pasted in the message. The image points to his personal onedrive, and when I try to download it using the token, I'm getting an unauthorized exception. Of course, if I use the url in a web browser, I can access the file. It looks like the token does not allow me to navigate to a sharepoint site or to a file in another onedrive that I have access to.

What permission should I exactly request?

Repro:

Azure AD application permissions:

The consent URL: I have requested various different scopes, it has no impact on the result. https://login.microsoftonline.com/tenantName/oauth2/v2.0/authorize?client_id=clientI&response_type=code&redirect_uri=http%3A%2F%2Flocalhost&response_mode=query&scope=Files.ReadWrite.All%20Chat.Read%20ChatMessage.Read&state=31:5&prompt=consent

JWT token:

URL That I try to download programmatically and that generates the unauthorized https://tenantName-my.sharepoint.com/personal/the valid colleague/Documents/Microsoft%20Teams%20Chat%20Files/managerapi_logs.txt

When I paste this url in a web browser I can access the file.

The code for the download function:

private async Task Download(string url, string fileName)
    {
        using var client = new HttpClient();
        client.DefaultRequestHeaders.Authorization = new AuthenticationHeaderValue("Bearer", _token);
        var respons = await client.GetAsync(url);
        if (respons.StatusCode == System.Net.HttpStatusCode.OK)
        {
            var downloadStream = await respons.Content.ReadAsStreamAsync();
            _oneDriveUpload.UploadToOneDrive(fileName, downloadStream, "Teams");
        }
        else
        { 
            // It fails here with unauthorized
            throw new Exception(respons.ReasonPhrase);
        }
    }

and finally a proof that my token works for files that I own and that are stored in my onedrive. All of them have been accessed succesfully. But as soon as I jump out of my onedrive, I'm getting the exception.

@tiny wang: I have explained that I have access to the file. If I copy the link in a webbrowser, I can access it. — CloudAnywhere, Feb 27 '23 at 08:18
the question is : why does my token not permit to access a file that I have access to? — CloudAnywhere, Feb 27 '23 at 08:19

score 0 · Answer 1 · answered Feb 28 '23 at 11:21

the problem was with the token generated. It did not allow to access shared resources in Onedrives or Sharepoint sites. For this I had to use an application token and it was mandatory to get the token using clientId AND certicate, not clientId AND secret.

delegated jwt token for microsoft graph api working only for my resources

1 Answers1