Welcome to OGeek Q&A Community for programmer and developer-Open, Learning and Share
Welcome To Ask or Share your Answers For Others

Categories

0 votes
1.4k views
in Technique[技术] by (71.8m points)

azure active directory - InvalidAuthenticationToken - CompactToken parsing failed with error code: -2147184105

I am using V1 in order to have a token from Microsoft REST API. (We have Office 365 tenant and I used to successfully get all resources without any problem but not anymore.

clientId =8a67......de4b6
clientSecret =J58k8....5EU=
redirectUri =http://example.com...
resourceUrl =https://graph.microsoft.com
authority = https://login.microsoftonline.com/f02633....a603/oauth2/token

https://login.microsoftonline.com/f0263...0be3/oauth2/authorize?client_id=8a6..b6&redirect_uri=http://example.com&response_type=code&scope=mail.read

It gave me a token structured as follows on JWT. It says invalid signature but not sure what is wrong.

Once I have the token, I tried the following curl call

curl -i https://graph.microsoft.com/v1.0/me/messages -H 'Content-Type: application/x-www-form-urlencoded' -H 'Authorization: Barer eyJ.[TOKEN]...UNa6nfw'

Instead of the messages, I received the following error:

HTTP/1.1 401 Unauthorized
Content-Type: application/json; charset=utf-8Cl23
Server: Microsoft-IIS/8.5
request-id: af2390b1-a9b...5ab9
client-request-id: af2390,....a615ab9
x-ms-ags-diagnostic: {"ServerInfo":{"DataCenter":"West US","Slice":"SliceA","ScaleUnit":"000","Host":"AGSFE_IN_4","ADSiteName":"WST"}}
X-Powered-By: ASP.NET
Date: Thu, 19 Jan 2017 23:55:43 GMT
Content-Length: 268

{
  "error": {
    "code": "InvalidAuthenticationToken",
    "message": "CompactToken parsing failed with error code: -2147184105",
    "innerError": {
      "request-id": "af2390b1-...5ab9",
      "date": "2017-01-19T23:55:44"
    }
  }
} 

I looked at similar questions on SO but couldn't find any solution.

See Question&Answers more detail:os

与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
Welcome To Ask or Share your Answers For Others

1 Reply

0 votes
by (71.8m points)

First, the Barer of authorization header is a typo. The correct parameter should be like authorization: bearer {access_token}.

Second, it seems that you were mixing using the Azure V1.0 endpoint and V2.0 endpoint. If you were developing with V1.0 endpoint which apps were resisted from Azure portals, when we acquire the access token we need to specify the resource parameter instead of scope.

The scope parameter is used for Azure V2.0 endpoint which apps are resisted from here.

And the authorization endpoint for Azure AD likes below:

V1.0:

https://login.microsoftonline.com/{tenant}/oauth2/authorize

V2.0:

https://login.microsoftonline.com/{tenant}/oauth2/v2.0/authorize?

More detail about the code grant flow with Azure AD, you can refer links below:

Authorize access to web applications using OAuth 2.0 and Azure Active Directory

v2.0 Protocols - OAuth 2.0 Authorization Code Flow


与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
OGeek|极客中国-欢迎来到极客的世界,一个免费开放的程序员编程交流平台!开放,进步,分享!让技术改变生活,让极客改变未来! Welcome to OGeek Q&A Community for programmer and developer-Open, Learning and Share
Click Here to Ask a Question

...