My goal is to write some code to enable an Office 365 user to access files in OneDrive for Business via REST API. I have registered an application in Azure AD (Web App/multi tenant) and added permissions to access SharePoint online. I want to use the "delegated user identity with OAuth" scenario where my app accesses OneDrive for Business via REST APIs using user impersonation.

The permissions in the app's manifest like this:

"oauth2Permissions": [ { "adminConsentDescription": "Allow the application to access AppName on behalf of the signed-in user.", "adminConsentDisplayName": "AppName", "id": "xxx", "isEnabled": true, "origin": "Application", "type": "User", "userConsentDescription": "Allow the application to access AppName on your behalf.", "userConsentDisplayName": "AppName", "value": "user_impersonation" }

The app requests the (OneDrive For Business) user to log into Office365 to get an authorization code (sent to the registered redirect URL) and use it to retrieve an access token (via a POST to my app's token endpoint). The "aud" field in the returned JWT is set to my client ID. Should it be something like "00000003-0000-0ff1-ce00-000000000000" instead for SharePoint Online ?

When I try to issue a GET at https://{tenant}-my.sharepoint.com/_api/v1.0/me/ using the access token as a bearer in the header of the request, I get an error 401: "error: invalid client", "error: invalid audience URI:https://{tenant}-my.sharepoint.com/". This points to a configuration error somewhere but I cannot figure out what needs to change.

aud = Audience of the token. When the token is issued to a client application, the audience is the client_id of the client. You might want to try using the Discovery Service API to check your service endpoints (https://msdn.microsoft.com/en-us/office/office365/howto/discover-service-endpoints) . There error shows that the audience URI is invalid so the service might not be running on the URL that you are making the call to (i.e. https://{tenant}-my.sharepoint.com/_api/v1.0/me/). Following the link above should help you isolate the problem. I hope that helps.