AADSTS5002710: Invalid JWT token: header is malformed
I am trying to implement the "On-Behalf-Of" flow between my Client (ReactJS), Express + Node.js server (API), and Microsoft Graph.
So far I have requested an accessToken from microsoft (Client), and have made a request to my API.
I have ran into the error "AADSTS5002710: Invalid JWT token: header is malformed." when I try to make an Axios post request from my API to https://login.microsoftonline.com/tenantID/oauth2/v2.0/token
Full Error:
{
error: 'invalid_request',
error_description: 'AADSTS5002710: Invalid JWT token: header is malformed.\r\n' +
'Trace ID: 068a382b-6f83-40f6-b1b1-7134223f4500\r\n' +
'Correlation ID: f46a2c03-84e8-46b3-b9d6-467174befa0b\r\n' +
'Timestamp: 2021-01-06 16:26:40Z',
error_codes: [ 5002710 ],
timestamp: '2021-01-06 16:26:40Z',
trace_id: '068a382b-6f83-40f6-b1b1-7134223f4500',
correlation_id: 'f46a2c03-84e8-46b3-b9d6-467174befa0b'
}
The body of my request is according to the tutorial "https://learn.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-on-behalf-of-flow".
I am constantly getting the error above as the result from microsoft online servers.
I have made the original (Client) request with my own custom scope api://54ee17f...cfe06/Access.Test
I follow the tutorial to use On-Behalf-Of flow in Postman. But it works well.
My steps here:
- Add API permission of Web API B to Web API A
- Request Web API A to get access token(
assertionof next step) with auth code flow
GET
https://login.microsoftonline.com/{tenant}/oauth2/v2.0/authorize
?scope={like api://1108f6-xxxxxxx-9f622/test} openid
&redirect_uri={redirect_uri of Web API A}
&nonce=123
&client_id={client-id of Web API A}
&response_type=id_token token
- Request Web API B to get the access token for Microsoft Graph API
POST
https://login.microsoftonline.com/{tenant}/oauth2/v2.0/token
grant_type=urn:ietf:params:oauth:grant-type:jwt-bearer
&client_id={client_id of Web API B}
&client_secret={client_secret}
&assertion={access token from previous step}
&scope=https://graph.microsoft.com/user.read offline_access
&requested_token_use=on_behalf_of
- Call Microsoft Graph API, like
GET https://graph.microsoft.com/v1.0/users.
You could decode your access token(assertion) in https://jwt.io/, and check the HEADER.
- How to get a list of users from azure graph API
- Az-GetRoleAssigments Not returning Data for DisplayName, SignInName & Object Type - Azure Powershell Runbook
- Integration of SSO using MSAL in Angular project gets 401 returned error after login
- Azure Active Directory passing empty GUID for tenantId with default template
- Sign in to Azure Account from VS Code
- AKV10032: Invalid issuer error when connecting to Azure Key Vault from App Service
- Get all user properties from Microsoft graph
- ASP.NET Azure AD / Entra Authentication - App roles in token, but not being assigned to principal
- How to do azure single sign on with next.js 14 and App Router
- Azure ClientCertificateCredential - Using SNI
- Entra ID Schema Extension with custom Namespace
- MSAL Node service & The Partner Center API
- KeyCloak Integration with Azure B2C UserName Mapping Issue
- is it posible to access Azure App Configuration via URL or conected some how as enviroment setting of App Service?
- Generate token fails for Azure app which is both client and API (client credentials workflow)
- Pulling "On-premises last sync date time" Azure user property using PowerShell
- Authenticating to Sharepoint Online Site via React SPA in MS Teams personal Tab
- Login failed for user '<token-identified principal>' while authorizing to SQL Server via Service Principal from AAD group assigned
- MSAL library fails to parse token in Chromium based browsers
- Office 365 Exchange Online permission is not visible for registered application in azure active directory
- Azure B2C IdP-Access Token fails with IDX10511: Signature validation failed
- EntraID: how to pass application roles downstream
- During signIn receiving B2C error code ‘AADB2C99059’
- How can I read local MS Teams status
- How to find the tenant where a multi-tenant AAD application was registered
- Azure AD permissions for MS Forms
- ASP.NET Core app running on IIS gives Http Error 401.2-Unauthorize
- Azure Active Directory skip account selection on logout
- Azure active directory - Get access token using Azure CLI
- Azure B2C / WPF - Handling a failed MFA verification flow