I'm trying to download a file from SharePoint Online using an "app only" token. I can obtain file info using this url

https://graph.microsoft.com:443/v1.0/sites/{siteId}/drives/{driveId}/list/items/{itemId}/driveItem

But when I try to download the file with this url

https://graph.microsoft.com:443/v1.0/sites/{siteId}/drives/{driveId}/list/items/{itemId}/driveItem/content

I get the following error

403 FORBIDDEN

Content-Length →13
Content-Type →text/plain; charset=utf-8
Date →Fri, 13 Apr 2018 08:47:12 GMT
MicrosoftSharePointTeamServices →16.0.0.7604
P3P →CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI"
SPIisLatency →2
SPRequestDuration →53
X-Content-Type-Options →nosniff
X-MS-InvokeApp →1; RequireReadOnly
X-MSDAVEXT_Error →917656; Access+denied.+Before+opening+files+in+this+location%2c+you+must+first+browse+to+the+web+site+and+select+the+option+to+login+automatically.
X-MSEdge-Ref →Ref A: B9E0C567B0CC4E60AEE93EEB8DC06AF1 Ref B: VIEEDGE0813 Ref C: 2018-04-13T08:47:12Z
X-Powered-By →ASP.NET
X-SharePointHealthScore →0

what is wrong?

it seems that internally it generates a download link (.../_layouts/15/download.aspx?UniqueId=...) that works with username / pwd token, but does not work with "app only" token

I have another office 365 subscription that works with "app only" token. The other subscription have a custom domain, but I can not see other configuration differences (both have LegacyAuthProtocolsEnabled property set to true, same sharing options...)

EDIT: It seems that the example I was testing on friday now works!!

This bug appeared wednesday last week, and is spreading to more and more of our tenants. It appears that temporary tokens generated by the Graph API/Sharepoint API are invalid. This affects:

• Chunked file upload, as you receice an url to upload to with a temporary token
• @microsoft.graph.downloadUrl as it contains a temporary token
• Content download, as it uses the excact same url as @microsoft.graph.downloadUrl

Please fix this ASAP, as my application is cripled and the customers are angry

I created a post here too, but no response: Temporary tokens issued by graph api is invalid since wednesday

Also this bug appeared wednesday: Unable to set fileSystemInfo.lastModifiedDateTime on files on Sharepoint Online for some users since wednesday

Did you find anything on this Mark LeFleur?

You should use the @microsoft.graph.downloadUrl property obtained from the /v1.0/me/drive/list/items/x/driveItem response to get an app-only url to the file. A GET request wil allow you to download the file.

See https://developer.microsoft.com/en-us/graph/docs/api-reference/v1.0/resources/driveitem#instance-attributes

I have executed the same example that initially failed and now works, at least in the two tenants that I have.

I have not changed any configuration or source code, so it seems that it was a temporary problem that has been fixed.