InvalidToken using SharePoint v2.0 REST API

Question

I am trying to make CRUD operations of the TermStore using the v2.0 REST API. But I am having problems with the token. I can generate the token correctly but when I try to use it, for example on a GET call to get the groups of the TermStore it simply appears the next error

{
    "error": {
        "code": "unauthenticated",
        "innerError": {
            "code": "invalidToken"
        },
        "message": "The provided token is invalid"
    }
}

I gave maximum permissions to the app, because maybe it was a problem of not enough permissions I've tried giving both types of permissions, Application and Delegated

Application Type

Delegated Type

Obviously I have granted admin consent.

This is how I fetch the token:

var myHeaders = new Headers();
myHeaders.append("Content-Type", "application/x-www-form-urlencoded");
myHeaders.append("Cookie", "fpc=YOUR_FPC_COOKIE; stsservicecookie=estsfd; x-ms-gateway-slice=estsfd");


var formdata = new FormData();
formdata.append("grant_type", "client_credentials");
formdata.append("client_id", "myID");
formdata.append("client_secret", "mySecret");
formdata.append("scope", "https://contoso.sharepoint.com/.default");

var requestOptions = {
  method: 'POST',
  headers: myHeaders,
  body: new URLSearchParams(formdata),
  redirect: 'follow'
};

fetch("https://login.microsoftonline.com/myTenantID/oauth2/v2.0/token", requestOptions)
  .then(response => response.text())
  .then(result => console.log(result))
  .catch(error => console.log('error', error));

It works fine, It returns me a token that expires in one hour (obviously I refresh the token every hour, I still do it manually because first i want to have it working well).

But when using the token appears the error that I previously mentioned. This is the complete GET call:

var myHeaders = new Headers();
myHeaders.append("Authorization", "Bearer verylongtoken");

var requestOptions = {
  method: 'GET',
  headers: myHeaders,
  redirect: 'follow'
};

fetch("https://contoso.sharepoint.com/_api/v2.1/termstore/groups", requestOptions)
  .then(response => response.text())
  .then(result => console.log(result))
  .catch(error => console.log('error', error));

I've searched similar questions like

Invalid Audience URI error Service to Service application, onedrive for business

or

Sharepoint Online REST API with Azure AD v2.0 authentication

and

How to get access token without sign-up or sign-in to web app?

I've tried all the solutions but nothing.

I also have created an Application ID URI but doesn't work neither. I don't know what else to try

Should I try to work with the Microsoft Graph API instead of the SharePoint API? I know that in the past you couldn't work with Term Store but now the permission TermStore.ReadWrite.All exist, so If you think is a viable option let me now.

I hope I have explained well,

Thank you,

score 0 · Accepted Answer · answered Jul 21 '23 at 11:18

0

Should I try to work with the Microsoft Graph API instead of the SharePoint API?

Yes, very much so. For example, for the request in your example, you'd use List termStore groups.

answered Jul 21 '23 at 11:18

Philippe Signoret

13,299
1
40
58

Thank you for answering! But It seems that is not supported for the Application type... I want to make an app that doesn't require any kind of user account, I really don't understand why the token doesn't work well for the SharePoint API... – martirodm Jul 21 '23 at 14:08
Some SharePoint APIs require using a certificate when obtaining a token, and actively reject tokens obtained with a client secret. You may want to try that. But it might be that SharePoint just doesn't support app-only access for this API at all, on any API. – Philippe Signoret Jul 24 '23 at 16:52
I didn't know about that extra step with certificates, but well I've managed to get it working with an app-only access despite Microsoft telling is not supported with Graph soo that's it. Thank you! – martirodm Jul 25 '23 at 08:09
Good to know you got it to work. That said, do be careful about taking a dependent on an API, or on the way in which you use an API, when it's not documented. If a certain pattern is not documented (or if it's explicitly documented as unsupported), you should assume there is a high risk of it being disabled or broken at some point in the future. – Philippe Signoret Jul 25 '23 at 18:33

InvalidToken using SharePoint v2.0 REST API

1 Answers1