SharePoint API: Invalid Access Token Resource

Question

I am trying to obtain an access token for use with the SharePoint Rest API. For my organizations base site. I am able to obtain a token and use that token to make subsequent requests successfully.

Next, I followed the same process and created more app permissions for a different site: {{tenant removed}}/sites/testsite. I was initially unable to create the request for the token because the resource parameter was not valid (see image below):

Per the URI encoding standards, I replaced the "/" in the site url with "%2f" and I am able to get a token (see image below):

Next however, the requests using that token to the API fail:

{
"error_description":
"Exception of type 'Microsoft.IdentityModel.Tokens.AudienceUriValidationFailedException' was thrown."
}

In the response header:

3000003;reason="Invalid audience Uri '00000003-0000-0ff1-ce00-000000000000/{{tenant removed}}%2fsites%2f{{removed}}@{{realm removed}}'.";category="invalid_client"

Did I encode the resource incorrectly? What am I missing? How can I use this method to get information from the other site?

Answer 1

I can see many developers making the same assumption when they create requests, since almost all documentation don't point out this scenario. You will be able to obtain a token for the site successfully as long as the resource is in a valid uri format, there is no validation done on the uri itself. Even if you get a token it will not work for any requests.

When fetching the access token for subsites (i.e: {{tenant}}/sites/testsite ). The resource part of the request body does not need to be modified.

So, for example, when you are getting a token for test.sharepoint.com/sites/testsite the resource of the request body should just be:

00000003-0000-0ff1-ce00-000000000000/test.sharepoint.com@{{realm}} (without /sites/testsite)

However, when you make HTTP requests to the API with the token, you should use the full site name. Example:

https://test.sharepoint.com/sites/testsite/_api/web/