Why am i getting an invalid access token from On-behalf-of-flow

Question

When I am using On-Behalf -Of-Flow and hitting /token endpoint with "common" tenant and word as middletier token as assertion with scopes as "openid profile offline_access user.read" i get a malinformed token , but it works for /me endpoint of microsoft graph, but not works for other microsoft api's such as GetAllFolders api etc.

{
  token_type: 'Bearer',
  scope: 'User.Read openid profile',
  expires_in: 2148,
  ext_expires_in: 2148,
  access_token: 'EwBoA8l6BAAUAOyDv0l6PcCVu89kmzvqZmkWABkAAcC8ou4ZlNy/KWYLLdVH0vH5mX0MiAuWOx+gxF.............................................................................................................................................................................................................................................9bsbChhpSgTqaDAn2/5e2ol0e+jVUfSFYGNfr45kqBZUoB32Q2HFI1p8wpIdQPOMXfQI=',
  refresh_token: 'M.C105_BAY.-CW5CZWj8ujA1gjI*WNj2u.........................................................................................................................................Ld5Mv40fbrVowHZdbrDkTPFTaKFidgiAN!qZhx472zJNxxnW0iVOFfQqNtU$',
  id_token: 'eyJ0eXAiOiJKV1QiLCJhbGciOiJS.........................................................................................................................................................................................................................83ZPxcotsRG-wGV30ULbnXyI8PFg'
}

Normally a accessToken starts with "ey..." , when we add more scopes we get different responses such as :-

    {   error: 'invalid_grant',  
  error_description: "AADSTS500202: User account '{EmailHidden}' from external identity provider 'live.com' is not supported for API version '2.0'. Microsoft account pass-thru users and guests are not supported by the tenant-independent endpoint.\r\n"
    
     }

Could you include the scope you are adding and the API/Graph query you are trying to call? — Rukmini, May 19 '23 at 03:48
@EugeneAstafiev I use this code (C#) :- if (type == "onBehalf") { postData.Add(new KeyValuePair("grant_type", "urn:ietf:params:oauth:grant-type:jwt-bearer")); postData.Add(new KeyValuePair("requested_token_use", "on_behalf_of")); postData.Add(new KeyValuePair("requested_token_type", "urn:ietf:params:oauth:token-type:saml1")); postData.Add(new KeyValuePair("assertion", accessToken)); } — yatin tripathi, May 19 '23 at 05:41
Could you also include the Graph query you are executing to GetAllFolders? — Rukmini, May 19 '23 at 05:46
@Rukmini var folderOptions = new List() { new QueryOption("expand", "listItem"), };var folderData = await _graphServiceClient.Sites[_siteId].Drive.Root.Children.Request(folderOptions).Select(file => new { file.Id,file.Name, file.Folder, file.Package, file.LastModifiedDateTime, file.SharepointIds, file.CreatedDateTime }) .GetAsync(); — yatin tripathi, May 19 '23 at 05:59
@Rukmini https://graph.microsoft.com/v1.0/sites/{site-id}/drive/root/children — yatin tripathi, May 19 '23 at 06:08
Did you get the access token successfully using the OBO Flow? — Rukmini, May 19 '23 at 06:09
@Rukmini yes i do get the access token it looks like this with /common endpoint : - access_token: 'EwBoA8l6BAAUAOyDv0l6PcCVu89kmzvqZmkWABkAAcC8ou4ZlNy/KWYLLdVH0vH5mX0MiAuWOx+gxF.............................................................................................................................................................................................................................................MXfQI=' — yatin tripathi, May 19 '23 at 06:12
Let us [continue this discussion in chat](https://chat.stackoverflow.com/rooms/253732/discussion-between-rukmini-and-yatin-tripathi). — Rukmini, May 19 '23 at 06:13
oh sorry, forget to at Rukmini. He is very helpful, and I think if you can share your requirements, he may write a sample for you. because your issue looks weird. — Tiny Wang, May 19 '23 at 06:26
Okay thank you @TinyWang, a sample using OBO flow will surely help my case. — yatin tripathi, May 19 '23 at 06:29
and [this one](https://stackoverflow.com/a/74313765/14574199). by the way, is your test using an account like xx@xx.onmicrosoft.com? if not, could you pls use that kind of account? — Tiny Wang, May 19 '23 at 06:37
@TinyWang my problem is with /common endpoint for personal accounts. Work and school accounts are working with OBO flow. The token which i get using using "common" as tenant does not work for other graph api's except /me endpoint. The access token is also different for personal accounts , it's difficult to decode. — yatin tripathi, May 19 '23 at 06:44
thank you for your sharing, but I don't have any other ideas then... — Tiny Wang, May 19 '23 at 06:47
@Rukmini Zuhei recreated my issue in this link:- [link](https://learn.microsoft.com/en-us/answers/questions/1287189/why-am-i-getting-an-invalid-access-token-from-on-b?page=1&orderby=helpful&comment=answer-1255205#newest-answer-comment) common-consent pattern for OBO will not work" I don't necessarily understand the whole "on-behalf-of-flow does not currently work for Microsoft Personal accounts" currently list sites endpoint does not support delegated personal permission — yatin tripathi, May 19 '23 at 07:50
Yeah, list sites doesnt support Microsoft Personal Accounts. — Rukmini, May 19 '23 at 07:53
@Rukmini one last question will {common} tenant work for compare feature using openxml? — yatin tripathi, May 19 '23 at 07:55

Rukmini · Accepted Answer · 2023-05-19T08:01:32.900

Note that: The scenario you are trying to achieve doesn't work for Personal Microsoft accounts. To resolve the issue you have to make use of work or school accounts.

I tried to generate the access token using Personal Microsoft Account and got the error like below:

https://graph.microsoft.com/v1.0/sites/6897a344-7c37-441b-aa3c-dcff235035c7/drive/root/children

enter image description here

To resolve the issue, I generated the token using OBO flow like below signing in with Work or School account:

https://login.microsoftonline.com/common/oauth2/v2.0/token

client_id:ClientID
grant_type:authorization_code
scope:scope
code:code
redirect_uri:https://jwt.ms
client_secret:-ClientSecret

enter image description here

https://login.microsoftonline.com/common/oauth2/v2.0/token

client_id:ClientID
client_secret:ClientSecret
scope:Scope
grant_type:urn:ietf:params:oauth:grant-type:jwt-bearer
assertion:
requested_token_use:on_behalf_of

enter image description here

Now, by using the above access token, I am able to list the sites successfully like below:

https://graph.microsoft.com/v1.0/sites/6897a344-7c37-441b-aa3c-dcff235035c7/drive/root/children

enter image description here

Reference:

https://learn.microsoft.com/en-us/graph/api/site-list?view=graph-rest-1.0&tabs=http

This is correct but Gaining consent for the middle-tier application doesn't makes sense then. — yatin tripathi, May 19 '23 at 07:59

score 0 · Answer 2 · answered May 19 '23 at 07:53

According to the documentation, currently list sites endpoint does not support delegated personal permission. So maybe that's the cause of the problem,

I also tested it locally, and the same account returns different results under different {tenant} value.

This link might help is anyone faces same issue :-

https://learn.microsoft.com/en-us/answers/questions/1287189/why-am-i-getting-an-invalid-access-token-from-on-b?page=1&orderby=helpful&comment=answer-1255205#newest-answer-comment

Why am i getting an invalid access token from On-behalf-of-flow

2 Answers2