{var%20f='http://v.t.sina.com.cn/share/share.php?appkey=1515056452',u=z||d.location,p=['&url=',e(u),'&title=',e(t||d.title),'&source=',e(r),'&sourceUrl=',e(l),'&content=',c||'gb2312','&pic=',e(p||'')].join('');function%20a(){if(!window.open([f,p].join(''),'mb',['toolbar=0,status=0,resizable=1,width=440,height=430,left=',(s.width-440)/2,',top=',(s.height-430)/2].join('')))u.href=[f,p].join('');};if(/Firefox/.test(navigator.userAgent))setTimeout(a,0);else%20a();})(screen,document,encodeURIComponent,'','','https://www.manongdao.com/data/attach/logo/logo.png', '推荐 男人必须洒脱 的问题《Azure AD returns Authentication_ExpiredToken on va》','https://www.manongdao.com/q-1341398.html','页面编码gb2312|utf-8默认gb2312'));){kind=link}
I'm getting Your access token has expired. Please renew it before submitting the request. when I call https://graph.windows.net/myorganization/oauth2PermissionGrants?api-version=1.5 endpoint.
To prevent any stupid questions - Yes, I know that using Microsoft Graph is recommended instead of Azure AD Graph. I'm aware of it and I'm using it. But for my current case I need to request exactly Azure AD Graph.
Tests case:
- I successfully login on
https://login.microsoftonline.com/common/oauth2/v2.0/authorize?client_id=....and getcodein the response. - I successfully exchange
codeand getaccess_tokenonhttps://login.microsoftonline.com/common/oauth2/v2.0/token. - I successfully make requests to any
Microsoft Graphendpoint (iehttps://graph.microsoft.com/education/me/classes). - I call
https://graph.windows.net/myorganization/oauth2PermissionGrants?api-version=1.5. - I get the error
Authentication_ExpiredTokenYour access token has expired. Please renew it before submitting the request. - I successfully make requests to any
Microsoft Graphendpoint, so theaccess_tokenis valid.
Based on this article: https://docs.microsoft.com/azure/active-directory/develop/active-directory-appmodel-v2-overview, I can use this access token to access both Microsoft Graph API as well as Azure AD Graph API.
So, I'm using v2.0 which should work for those: https://docs.microsoft.com/azure/active-directory/develop/active-directory-protocols-oauth-code.
What I'm doing wrong?
Thank you!
A token used to call the Microsoft Graph cannot be used to call the Azure AD Graph API.
When you look at the access token from Azure AD, there is a parameter called
audwhich stands for "audience". This property tells the API receiving the token the valid audience for that token.If I own an API, "WebAPI1", and I get a token where the audience is something else, like "WebAPI2", I should reject that token, and not give the client access to my APIs. The reasons for this behavior should be obvious, but it causes major security issues if this check does not occur.
The
audvalue for the Microsoft Graph ishttps://graph.microsoft.com/while theaudfor Azure AD Graph API ishttps://graph.windows.net/.When requesting an access token, you need to specify which specific resource you want a token for using the
scopesparameter. This and more information can be found here.The solution here is to get a different access token for the different API, and your issues should be resolved.
Let me know if this helps!