InvalidAuthenticationToken - CompactToken parsing failed with error code: -2147184105

Question

I am using V1 in order to have a token from Microsoft REST API. (We have Office 365 tenant and I used to successfully get all resources without any problem but not anymore.

clientId =8a67......de4b6
clientSecret =J58k8....5EU=
redirectUri =http://example.com...
resourceUrl =https://graph.microsoft.com
authority = https://login.microsoftonline.com/f02633....a603/oauth2/token

https://login.microsoftonline.com/f0263...0be3/oauth2/authorize?client_id=8a6..b6&redirect_uri=http://example.com&response_type=code&scope=mail.read

It gave me a token structured as follows on JWT. It says invalid signature but not sure what is wrong.

Once I have the token, I tried the following curl call

curl -i https://graph.microsoft.com/v1.0/me/messages -H 'Content-Type: application/x-www-form-urlencoded' -H 'Authorization: Barer eyJ.[TOKEN]...UNa6nfw'

Instead of the messages, I received the following error:

HTTP/1.1 401 Unauthorized
Content-Type: application/json; charset=utf-8Cl23
Server: Microsoft-IIS/8.5
request-id: af2390b1-a9b...5ab9
client-request-id: af2390,....a615ab9
x-ms-ags-diagnostic: {"ServerInfo":{"DataCenter":"West US","Slice":"SliceA","ScaleUnit":"000","Host":"AGSFE_IN_4","ADSiteName":"WST"}}
X-Powered-By: ASP.NET
Date: Thu, 19 Jan 2017 23:55:43 GMT
Content-Length: 268

{
  "error": {
    "code": "InvalidAuthenticationToken",
    "message": "CompactToken parsing failed with error code: -2147184105",
    "innerError": {
      "request-id": "af2390b1-...5ab9",
      "date": "2017-01-19T23:55:44"
    }
  }
} 

I looked at similar questions on SO but couldn't find any solution.

Answer 1

First, the Barer of authorization header is a typo. The correct parameter should be like authorization: bearer {access_token}.

Second, it seems that you were mixing using the Azure V1.0 endpoint and V2.0 endpoint. If you were developing with V1.0 endpoint which apps were resisted from Azure portals, when we acquire the access token we need to specify the resource parameter instead of scope.

The scope parameter is used for Azure V2.0 endpoint which apps are resisted from here.

And the authorization endpoint for Azure AD likes below:

V1.0:

https://login.microsoftonline.com/{tenant}/oauth2/authorize

V2.0:

https://login.microsoftonline.com/{tenant}/oauth2/v2.0/authorize?

More detail about the code grant flow with Azure AD, you can refer links below:

Authorize access to web applications using OAuth 2.0 and Azure Active Directory

v2.0 Protocols - OAuth 2.0 Authorization Code Flow