MSGraph API - Connected System Authorization Successful but integration object authorization failed.

 I've tested Azure AD Graph API functions using Postman outside Appian, it's successful.

Created the HTTP connected system object with inputs ClientID, Client Secret and Token Request Endpoint. - Authentication: OAuth 2.0 client credentials Grant.- Tested using "Authorize" button. "Authorization Successful".

However, when testing Integration Object using above HTTP connected system object, getting an "Invalid credentials" error . Any suggestions pls? Thanks.

Invalid credentials

error-result-guidance

Appian was not able to authenticate with the access token you provided. This request requires Bearer authentication. HTTP/1.1 401 Unauthorized Next Steps

  • This integration is using a connected system with OAuth 2.0 Client Credential authentication configured. You may need to authorize access to the external system and retry the request.
  • Make sure that you are using the correct OAuth 2.0 configuration for this external system
  • Make sure that the OAuth 2.0 configuration provides the required scope to make this request
  • Check the request and response for more details
  • Review the external system’s documentation for information on what may have caused the problem

HTTP Request:

GET /v1.0/users HTTP/1.1 Authorization: Bearer ****** Host: graph.microsoft.com Connection: Keep-Alive User-Agent: Appian Accept-Encoding: gzip,deflate

HTTP Response:

HTTP/1.1 401 Unauthorized Date: Sun, 04 Jul 2021 05:36:22 GMT Content-Type: application/json Transfer-Encoding: chunked Vary: Accept-Encoding WWW-Authenticate: Bearer realm="", authorization_uri="">login.microsoftonline.com/.../authorize", client_id="00000003-0000-0000-c000-000000000000" Strict-Transport-Security: max-age=31536000 request-id: ef4ec847-5229-4ff6-b9c7-fc8586a7bba9 client-request-id: ef4ec847-5229-4ff6-b9c7-fc8586a7bba9 x-ms-ags-diagnostic: {"ServerInfo":{"DataCenter":"UK South","Slice":"E","Ring":"3","ScaleUnit":"000","RoleInstance":"LN2PEPF00003306"}}

{"error":{"code":"InvalidAuthenticationToken","message":"Access token validation failure. Invalid audience.","innerError":{"date":"2021-07-04T05:36:23","request-id":"ef4ec847-5229-4ff6-b9c7-fc8586a7bba9","client-request-id":"ef4ec847-5229-4ff6-b9c7-fc8586a7bba9"}}}

  Discussion posts and replies are publicly visible

Parents Reply
  • Thanks Steve, 

    Yes, we know the root cause for the error "Access token validation failure. Invalid audience."

    In order to fix this we need to pass the Bearer token request parameter "resource=https://graph.microsoft.com" that returns the audience scope as "aud": "https://graph.microsoft.com" whereas without this parameter JWT token identify the audience as registered application.

    Unfortunately, there is no option to pass this resource parameter with Appian connected system object. Not sure, this is the only way to be implemented...i.e. Step-1: create an Integration object to get the bearer token.(This replaces the connected system object) Step:2 Create an another Integration object to call MS Graph APIs that uses the Step-1 Bearer token on Header section.

    I'd like to confirm with Appian that whether this is an limitation with current connected system object functionality that its not compatible to integrate / use with Azure AD Graph API calls requirement.

Children