I am trying to use a daemon app to upload a large file to a user's OneDrive for Business account. I have managed to authenticate and get a bearer token, create folders and upload small files.
For large files, I create an upload session and receive an error when trying to add a file part using that session. I have included my fiddler traces to try diagnose this. I have removed my sensitive information.
I request an upload session
POST https://graph.microsoft.com/v1.0/users/{user id}/drive/items/{folder id}:/Test.csv:/createUploadSession HTTP/1.1
Authorization: Bearer {bearer token}
Content-Type: application/x-www-form-urlencoded
Host: graph.microsoft.com
Content-Length: 0
I receive a response with the following content:
"@odata.context":"https://graph.microsoft.com/v1.0/$metadata#microsoft.graph.uploadSession",
"expirationDateTime":"2016-10-05T11:39:29.5104044Z",
"nextExpectedRanges":["0-"],
"uploadUrl":"https://{my tenant name}.sharepoint.com/personal/name_domain_co_za/_api/v2.0/drive/root:/Backups/Test:/uploadSession?guid='aaaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa'&path='~tmp12_Test.csv'&overwrite=True&rename=False"}
Then I try PUT to that upload url
PUT https://{my tenant name}.sharepoint.com/personal/name_domain_co_za/_api/v2.0/drive/root:/Backups/Test:/uploadSession?guid='aaaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa'&path='~tmp12_Test.csv'&overwrite=True&rename=False HTTP/1.1
Authorization: bearer {bearer token}
Content-Range: bytes 0-327679/16333102
Host: {my tenant name}.sharepoint.com
Content-Length: 327680
Expect: 100-continue
Then the response contains the following relevant lines.
HTTP/1.1 401 Unauthorized
x-ms-diagnostics: 3000006;reason="Token contains invalid signature.";category="invalid_client"
{"error_description":"Invalid issuer or signature."}
I find it very odd because with the current application configuration, I can upload a small file to the same path successfully so, unless I'm misunderstanding something, there shouldn't be anything wrong with permissions.
Update:
The actual issue was that the request was attempting to use an app-only token to authenticate with OneDrive for Business through the Graph. Unfortunately this scenario is not currently supported, and while some scenarios may work there are a number that do not (such as this one). While we cannot comment on timelines it's definitely on our radar!
Original:
There are a couple of things that factor in to uploading fragments to a OneDrive for Business account via Graph.
The authentication tokens are NOT compatible. Said another way, the bearer token you use to call createUploadSession on graph CANNOT be used for the PUT requests that directly hit the OneDrive for Business endpoint. This is primarily because the tokens are bound to specific audiences - a token for https://graph.microsoft.com/ will not work on https://{my tenant name}.sharepoint.com/.
Due to #1, the uploadUrl returned should NOT actually require auth in the first place - we don't want developers to juggle multiple auth tokens for the different endpoints.
It seems like #2 is where things aren't quite right in repro you outlined. Can you confirm that the uploadUrl values you're receiving do NOT contain access_token or prooftoken query parameters? If that's the case, can you get request-id header from the response of the createUploadSession call?