Resource <Random Guid> does not exist or one of its queried reference-property objects are not present

Question

I'm trying to do a basic call into Microsft Graph.

https://graph.microsoft.com/v1.0/me/

I've done this through the C# SDK and directly using rest and on both calls, I'm getting the following error

Message = "Resource 'f9d58168-4b3e-4948-9133-6c978d1ab18a' does not exist or one of its queried reference-property objects are not present."

Full error message returned in error response content stream

{
  "error": {
    "code": "Request_ResourceNotFound",
    "message": "Resource 'f9d58168-4b3e-4948-9133-6c978d1ab18a' does not exist or one of its queried reference-property objects are not present.",
    "innerError": {
      "request-id": "80af6aec-5052-49ab-890c-273fea5c65ba",
      "date": "2017-07-31T06:08:37"
    }
  }
}

The GUID can be different.

When I do this through the Graph Explorer it works OK.

This is the code I'm using to get the credentials for the App

private ClientCredential GetCredentials()
{
  return new ClientCredential(_azureAdOptions.ClientId, _azureAdOptions.ClientSecret);
}

private AuthenticationContext GetContext(string userObjectId)
{
  return new AuthenticationContext($"{_azureAdOptions.AadInstance}{_azureAdOptions.Tenant}", GetTokenCache(userObjectId));
}

private DistributedTokenCache GetTokenCache(string userObjectId)
{
  return new DistributedTokenCache(userObjectId, _azureAdOptions.ClientId, _distributedCache, _loggerFactory);
}

public async Task<AuthenticationResult> GetToken(string userObjectId, string resourceId)
        {
            AuthenticationResult result;

            var authContext = GetContext(userObjectId);
            var credential = GetCredentials();

            try
            {
                result = await authContext.AcquireTokenSilentAsync(resourceId, credential, new UserIdentifier(userObjectId, UserIdentifierType.UniqueId));
            }
            catch (AdalSilentTokenAcquisitionException astae)
            {
                result = await authContext.AcquireTokenAsync(resourceId, credential);
            }

            return result;
        }

I've debugged through the code and it's authenticating and acquiring a token OK.

Have copied and pasted the Request URL from my App into the Graph Explorer and it works.

Have setup permissions through Azure and they are the same as the ones setup for Graph Explorer.

This is the configuration I'm using in StartUp to setup OpenId

var openIdConnectOptions = new OpenIdConnectOptions
            {
                ClientId = azureAdOptions.ClientId,
                Scope =
                {
                    "openid",
                    "email",
                    "profile",
                    "offline_access",
                    "User.Read",
                    "user_impersonation"
                },
                Authority = $"{azureAdOptions.AadInstance}{azureAdOptions.Tenant}",
                SignInScheme = CookieAuthenticationDefaults.AuthenticationScheme,
                AuthenticationScheme = OpenIdConnectDefaults.AuthenticationScheme,
                PostLogoutRedirectUri = azureAdOptions.PostLogoutRedirectUri,
                ResponseType = OpenIdConnectResponseType.CodeIdToken,
                UseTokenLifetime = true,
                GetClaimsFromUserInfoEndpoint = false,
                Events = new OpenIdConnectEvents
                {
                    OnRedirectToIdentityProvider = OnRedirectToIdentityProvider,
                    OnRemoteFailure = OnAuthenticationFailed,
                    OnAuthorizationCodeReceived = OnAuthorizationCodeReceived,
                    OnUserInformationReceived = OnUserInformationReceived
                }
            };

I'm using the code in a differnt application that calls Microsoft Graph and have not had any problems with that.

UPDATE

I was able to get the User ID from the claims principal (http://schemas.microsoft.com/identity/claims/objectidentifier) and I used this ID to call "https://graph.microsoft.com/v1.0/users('') with the same error. The GUID in the error message is the GUID of the user from the claims principal.

So why is the user ID in the claims principal not being set correctly?

FURTHER UPDATE

It looks like the object identifier set in the Claims Principal is different to the one in Azure Active directory.

Hard coding the object identifier into the users endpoint works.

FURTHER FURTHER UPDATE

This seems to be something to do with the access token that is being returned. After decrypting the token I can see the Object ID is that of the registered application and this is what is being used when calling "Me" in the Office Graph. Shouldn't the OID of the token being returned be of the user. The app has User.Read in Active Directory.

ERROR BEING RETURNED BY AcquireTokenSilentAsync

Microsoft.IdentityModel.Clients.ActiveDirectory.AdalSilentTokenAcquisitionException:
   at Microsoft.IdentityModel.Clients.ActiveDirectory.AcquireTokenSilentHandler.SendTokenRequestAsync (Microsoft.IdentityModel.Clients.ActiveDirectory, Version=3.14.1.10, Culture=neutral, PublicKeyToken=31bf3856ad364e35: c:\workspace\azure-activedirectory-library-for-dotnet-v3-master-VS2017\src\ADAL.PCL\Flows\AcquireTokenSilentHandler.cs: 61)
   at Microsoft.IdentityModel.Clients.ActiveDirectory.AcquireTokenHandlerBase+<RunAsync>d__55.MoveNext (Microsoft.IdentityModel.Clients.ActiveDirectory, Version=3.14.1.10, Culture=neutral, PublicKeyToken=31bf3856ad364e35: c:\workspace\azure-activedirectory-library-for-dotnet-v3-master-VS2017\src\ADAL.PCL\Flows\AcquireTokenHandlerBase.cs: 198)
   at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw (System.Private.CoreLib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=7cec85d7bea7798e)
   at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification (System.Private.CoreLib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=7cec85d7bea7798e)
   at Microsoft.IdentityModel.Clients.ActiveDirectory.AuthenticationContext+<AcquireTokenSilentCommonAsync>d__55.MoveNext (Microsoft.IdentityModel.Clients.ActiveDirectory, Version=3.14.1.10, Culture=neutral, PublicKeyToken=31bf3856ad364e35: c:\workspace\azure-activedirectory-library-for-dotnet-v3-master-VS2017\src\ADAL.PCL\AuthenticationContext.cs: 618)
   at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw (System.Private.CoreLib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=7cec85d7bea7798e)
   at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification (System.Private.CoreLib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=7cec85d7bea7798e)
   at Microsoft.IdentityModel.Clients.ActiveDirectory.AuthenticationContext+<AcquireTokenSilentAsync>d__41.MoveNext (Microsoft.IdentityModel.Clients.ActiveDirectory, Version=3.14.1.10, Culture=neutral, PublicKeyToken=31bf3856ad364e35: c:\workspace\azure-activedirectory-library-for-dotnet-v3-master-VS2017\src\ADAL.PCL\AuthenticationContext.cs: 415)
   at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw (System.Private.CoreLib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=7cec85d7bea7798e)
   at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification (System.Private.CoreLib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=7cec85d7bea7798e)
   at System.Runtime.CompilerServices.TaskAwaiter`1.GetResult (System.Private.CoreLib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=7cec85d7bea7798e)
   at InSite.Security.AuthenticationService+<GetToken>d__5.MoveNext (InSite.Security, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null: C:\Users\TobyStatham\Documents\Visual Studio 2017\Projects\InSite\InSite.Security\AuthenticationService.cs: 47)

Answer 1

In Graph, the /me/ endpoint is an alias for the currently signed in user (based on the token). To check this, you could decode the JWT and see if there is any user information associated with the token. An application without a user present will not be able to query /me/, and should instead specify the user id of the user of interest (/users/user id).