Sharepoint oAuth 2.0 retrieved token missing roles and scope

Question

Using code below I successfully retrieve an access token. Taking that token to jwt.ms , it does not have scp or roles though. So when I try and use it in postman url GET https://graph.microsoft.com/v1.0/sites/myCompany.sharepoint.com:/sites/SubscriberAcquisitionResourceCenter it fails. In c# it fails with 401 Unauthorized.

I have added the following permissions:

User's image

"error":{"code":"AccessDenied","message":"Either scp or roles claim need to be present in the token."

string siteUrl = "https://myCompany.sharepoint.com/sites/SubscriberAcquisitionResourceCenter";             string clientId = "********-****-****-****-********fe11";             
string tenantId = "********-****-****-****-********5a8f";             
string clientSecret = "***************"; // Updated client secret              
var authority = $"https://login.microsoftonline.com/{tenantId}/";             
var app = ConfidentialClientApplicationBuilder.Create(clientId)                 .WithClientSecret(clientSecret)                 
.WithAuthority(new Uri(authority))                 
.Build();              
var authResult = app.AcquireTokenForClient(new[] { "https://graph.microsoft.com/.default" }).ExecuteAsync().Result;             
string accessToken = authResult.AccessToken;

Answer

You are authenticating via client secret, i.e. using the client credentials flow. That flow only works with Application permissions, whereas based on the screenshot above, you have granted Delegate permissions on your app. Either grant the corresponding Application permissions instead, or obtain a token via any of the user-centric flows instead, such as the Auth code one: https://zcusa.951200.xyz/en-us/entra/identity-platform/v2-oauth2-auth-code-flow

Share via

Sharepoint oAuth 2.0 retrieved token missing roles and scope

1 answer

Your answer