I've tested Azure AD Graph API functions using Postman outside Appian, it's successful.
Created the HTTP connected system object with inputs ClientID, Client Secret and Token Request Endpoint. - Authentication: OAuth 2.0 client credentials Grant.- Tested using "Authorize" button. "Authorization Successful".
However, when testing Integration Object using above HTTP connected system object, getting an "Invalid credentials" error . Any suggestions pls? Thanks.
Invalid credentials
Appian was not able to authenticate with the access token you provided. This request requires Bearer authentication. HTTP/1.1 401 Unauthorized Next Steps
HTTP Request:
GET /v1.0/users HTTP/1.1 Authorization: Bearer ****** Host: graph.microsoft.com Connection: Keep-Alive User-Agent: Appian Accept-Encoding: gzip,deflate
HTTP Response:
HTTP/1.1 401 Unauthorized Date: Sun, 04 Jul 2021 05:36:22 GMT Content-Type: application/json Transfer-Encoding: chunked Vary: Accept-Encoding WWW-Authenticate: Bearer realm="", authorization_uri="">login.microsoftonline.com/.../authorize", client_id="00000003-0000-0000-c000-000000000000" Strict-Transport-Security: max-age=31536000 request-id: ef4ec847-5229-4ff6-b9c7-fc8586a7bba9 client-request-id: ef4ec847-5229-4ff6-b9c7-fc8586a7bba9 x-ms-ags-diagnostic: {"ServerInfo":{"DataCenter":"UK South","Slice":"E","Ring":"3","ScaleUnit":"000","RoleInstance":"LN2PEPF00003306"}}
{"error":{"code":"InvalidAuthenticationToken","message":"Access token validation failure. Invalid audience.","innerError":{"date":"2021-07-04T05:36:23","request-id":"ef4ec847-5229-4ff6-b9c7-fc8586a7bba9","client-request-id":"ef4ec847-5229-4ff6-b9c7-fc8586a7bba9"}}}
Discussion posts and replies are publicly visible
I was able to successfully follow the workaround mentioned on https://community.appian.com/discussions/f/integrations/13751/outlook-integration-error/75078#75078 i.e. Integration 1 and Integration 2
However, still wondering why we're not able to use connected system object on this.
Some hints: github.com/.../320
Thanks Steve,
Yes, we know the root cause for the error "Access token validation failure. Invalid audience."
In order to fix this we need to pass the Bearer token request parameter "resource=https://graph.microsoft.com" that returns the audience scope as "aud": "https://graph.microsoft.com" whereas without this parameter JWT token identify the audience as registered application.
Unfortunately, there is no option to pass this resource parameter with Appian connected system object. Not sure, this is the only way to be implemented...i.e. Step-1: create an Integration object to get the bearer token.(This replaces the connected system object) Step:2 Create an another Integration object to call MS Graph APIs that uses the Step-1 Bearer token on Header section.
I'd like to confirm with Appian that whether this is an limitation with current connected system object functionality that its not compatible to integrate / use with Azure AD Graph API calls requirement.
Thanks Tim / Steve,
This has been fixed. Connected system object Graph integration works fine with Scope https://graph.microsoft.com/.default and “OAuth 2.0 token endpoint (v2). (In case of Azure AD personal a/c).