1

I am trying to obtain an access token for use with the SharePoint Rest API. For my organizations base site. I am able to obtain a token and use that token to make subsequent requests successfully.

Next, I followed the same process and created more app permissions for a different site: {{tenant removed}}/sites/testsite. I was initially unable to create the request for the token because the resource parameter was not valid (see image below):

enter image description here

Per the URI encoding standards, I replaced the "/" in the site url with "%2f" and I am able to get a token (see image below):

enter image description here

Next however, the requests using that token to the API fail:

{
"error_description":
"Exception of type 'Microsoft.IdentityModel.Tokens.AudienceUriValidationFailedException' was thrown."
}

In the response header:

3000003;reason="Invalid audience Uri '00000003-0000-0ff1-ce00-000000000000/{{tenant removed}}%2fsites%2f{{removed}}@{{realm removed}}'.";category="invalid_client"

Did I encode the resource incorrectly? What am I missing? How can I use this method to get information from the other site?

Improve this question
4
  • Resource should be the Sharepoint site that you are trying to access with API Commented Sep 9, 2020 at 7:25
  • I'm aware of this and this is the issue that I am trying to get help for. The site that I'm trying to access returns the error shown above. Commented Sep 9, 2020 at 12:54
  • why does your site starts with 00000003-0000-0ff1-ce00-000000000000 and not as tenant.sharepoint.com/xxxxx Commented Sep 9, 2020 at 13:22
  • that is the SharePoint Online [principal ID. It is always 00000003-0000-0ff1-ce00-000000000000 and must be prepended to the resource value anexinet.com/blog/getting-an-access-token-for-sharepoint-online Commented Sep 9, 2020 at 13:29

1 Answer 1

Reset to default
0

I can see many developers making the same assumption when they create requests, since almost all documentation don't point out this scenario. You will be able to obtain a token for the site successfully as long as the resource is in a valid uri format, there is no validation done on the uri itself. Even if you get a token it will not work for any requests.

When fetching the access token for subsites (i.e: {{tenant}}/sites/testsite ). The resource part of the request body does not need to be modified.

So, for example, when you are getting a token for test.sharepoint.com/sites/testsite the resource of the request body should just be:

00000003-0000-0ff1-ce00-000000000000/test.sharepoint.com@{{realm}} (without /sites/testsite)

However, when you make HTTP requests to the API with the token, you should use the full site name. Example:

https://test.sharepoint.com/sites/testsite/_api/web/

Improve this answer

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.