Issue
I am trying to do some MS Graph work using Perl/curl but ran into some problems. Brought the problem back to the most basic example I can come up with: 2 curl command from a bash scripts.
I have an APP_ID, APP_Secret and Tenant_ID. Those work just fine in a NodeJS script using Axios (which I do not want to use).
Getting the token:
curl -X POST -d 'grant_type=client_credentials&client_id=[APP_ID]&client_secret=[APP_SECRET]' https://login.microsoftonline.com/[TENANT_ID]/oauth2/token
This command result in a JSON (?) reply containing an access_token which I copy/paste in the following command:
curl -X GET -H "Authorization: Bearer [TOKEN]" -H "Content-Type: application/json" https://graph.microsoft.com/v1.0/groups
Which results in:
{"error":{"code":"InvalidAuthenticationToken","message":"Access token validation failure. Invalid audience.","innerError":{"date":"2023-01-20T11:12:55","request-id":"[request_id]","client-request-id":"[client_request_id]"}}}
This puzzles me. I've just gotten the access_token. Guess I'm doing something wrong, just don't know what.
Solution
Finally got the solution. Turned out I had forgotten 2 things in the token request header:
- the scope: https://graph.microsoft.com/.default
- the resource: https//graph.microsoft.com
Forgetting the scope was an "ow shit" experience. Should have known that. The resource had me going for a while. Found that here
Have put it together in te following bash script (learned about jq on the way)
#! /usr/bin/bash
token=`curl \
-d grant_type=client_credentials \
-d client_id=[client_id] \
-d client_secret=[client_secret] \
-d scope=https://graph.microsoft.com/.default \
-d resource=https://graph.microsoft.com \
https://login.microsoftonline.com/[tenant_id]/oauth2/token \
| jq -j .access_token`
curl -X GET \
-H "Authorization: Bearer $token" \
-H "Content-Type: application/json" \
https://graph.microsoft.com/v1.0/groups \
| jq .
Answered By - Peter Answer Checked By - Katrina (WPSolving Volunteer)