onedrive-api-docs: CompactToken parsing failed with error code: 80049217

Maybe it sounds stupid but double check:

When requesting the token you get an JSON object in response. This object contains properties like expires_in, token_type and access_token.

When adding the Authorization: Bearer <token> to your request, you should replace <token> only with the access_token and not the entire object

I solved my issue by:

1. following the instructions here: https://developer.microsoft.com/en-us/graph/docs/concepts/auth_v2_user#1-register-your-app - this included re-creating my app
2. adding the “resource” parameter to the token request as suggested by this comment: https://github.com/OneDrive/onedrive-api-docs/issues/785#issuecomment-420274451
3. clearing cookies

@suparnavg I’m reopening the issue.

Try setting “resource” param when requesting the access token for the API.

You can find it “subtle” in the documentation (only within the example code):

https://developer.microsoft.com/en-us/graph/docs/concepts/rest

POST https://login.microsoftonline.com/common/oauth2/v2.0/token
Content-Type: application/x-www-form-urlencoded

{
  grant_type=authorization_code
  &code=AwABAAAA...cZZ6IgAA
  &redirect_uri=http%3A%2F%2Flocalhost%2Fmyapp%2F
  &resource=https%3A%2F%2Fgraph.microsoft.com%2F
  &scope=mail.read
  &client\_id=<app ID>
  &client\_secret=<app SECRET>
}

-> &resource=https%3A%2F%2Fgraph.microsoft.com%2F

I’m facing the same issue, like this response:

{
    "error": {
        "code": "InvalidAuthenticationToken",
        "message": "CompactToken parsing failed with error code: 80049217",
        "innerError": {
            "request-id": "8d1bff80-e66a-4827-bf0b-40cf4dfbf8dc",
            "date": "2018-10-18T10:37:59"
        }
    }
}

Can this issue be reopened please? Otherwise I’ll open another one (not the smartest choice, but…).

I am facing this error while using Graph APIs. And the worse part is the APIs work just fine most of the times, but intermittently return this error.

Has anyone really found a solution for random/intermittent error returned by Graph APIs?

@suparnavg Can you please post the exact response? Below I’ll clarify my scenario as much as I can, pardon me for the loooong answer.

My scenario is as follows: I want to authenticate users with Azure AD and read the profile of the authenticated user (only that user).

First of all, I authenticate users using the Azure AD oauth2 endpoint. I’m using the openid strategy, and I’m asking for both the id_token and the authorization code at once, by visiting the following URL:

https://login.microsoftonline.com/MY_TENANT_ID/oauth2/authorize?scope=openid&response_type=code+id_token&client_id=MY_AZURE_APP_ID&nonce=A_RANDOM_HASH&state=ANOTHER_RANDOM_HASH&response_mode=form_post&redirect_uri=MY_APP_REDIRECT_URI

Note: all the UPPERCASE words must be replaced with actual values.

This URL pops up the Microsoft login prompt and, upon success, it redirects to the <MY_APP_REDIRECT_URI> URL with the following parameters in POST:

• code: authorization code, see below
• id_token: identity token in JWT format
• state: the same value I passed in the previous step, <ANOTHER_RANDOM_HASH>
• session_state: a value of no particular interest

At this point, if the id_token passes JWT validation, the user is authenticated-so if all you need is the id_token, you’re done.

But, I want to access the MS Graph API too, and to do so I need an access token which I can obtain by POSTing the following parameters to the token URL ( https://login.microsoftonline.com/MY_TENANT_ID/oauth2/token )

• client_id: the value used in MY_AZURE_APP_ID
• scope: ‘user.read mail.read’, literally, or any other scope you need
• code: the authorization code I received in the previous step
• grant_type: ‘authorization_code’, literally
• client_secret: an app secret created for MY_AZURE_APP_ID in the Azure portal;
• redirect_uri: the value used above in MY_APP_REDIRECT_URI, or any other redirect URI I configured in the Azure portal;
• resource: ‘https://graph.microsoft.com/’, literally (this is what I meant in my previous coment)

The reply should be a JSON object containing the keys:

• “token_type”: “Bearer”
• “scope”: “User.Read”
• “expires_in”: “3599”
• “ext_expires_in”: “0”
• “expires_on”: “…”
• “not_before”: “…”
• “resource”: “https://graph.microsoft.com/”
• “access_token”: “eyJ0…” this is what should be used in the next request.
• “refresh_token”: “AQABAAAAAA…”
• “id_token”: “eyJ0…”

Now I can access the Graph API, to get more information about the logged in user, by taking the returned access_token and making the following HTTP request:

• URL: https://graph.microsoft.com/v1.0/me
• Method: GET
• Header: “Authorization: Bearer VALUE_OF_ACCESS_TOKEN”

Hi there!

I’ve been working with access tokens for couple of weeks now. I’m kinda new to this but I’ve found this link that helped me solve the issue with error “message”: “CompactToken parsing failed with error code: 80049217” https://contentanalytics.digital.accenture.com/pages/viewpage.action?pageId=685015085

The problem was in syntax when calling the service…it requires “space” between “Bearer” and the token you’re using. You can do it like "Bearer " + token or as its shown on the link.

Might be late but I hope this helps!

@paolostefan thanks for the detailed answer

I am following the exact same steps as you, and my API calls are working fine (Calendar, Contacts, etc. all good) - except for OneDrive calls. I have included the Files.ReadWrite.All scope while registering the app, so invalid scopes should not be causing the problem.

While making the OneDrive API call, I use my existing refresh token to generate a new access token, then send a GET to this uri: “‘https://graph.microsoft.com/v1.0/me/drive/root/children’” - which returns the error

  "error": {
    "code": "InvalidAuthenticationToken",
    "message": "CompactToken parsing failed with error code: 80049217",
    "innerError": {
      "request-id": "e4470a84-2674-4ee5-8ab4-d9b68786eb27",
      "date": "2018-10-25T04:10:11"
    }
  }

I had this same issue, so, I checked the AccessToken and it looked unusual (for Microsoft)… Like with many dashes and etc…

Hence, I went back and checked all the details only to find a simple error with the endpoint url for auth and token.

The https://graph.microsoft.com/oidc/userinfo endpoint only works with v2.0 of Auth and Token endpoints: https://login.microsoftonline.com/common/oauth2/v2.0/authorize https://login.microsoftonline.com/common/oauth2/v2.0/token

That fixed it for me.

Obviously this error is occurring when the token is malformed. In my case it was malformed, because i was using postman. In the authentication tab just enter the token not the string "Bearer " in front of it.

OK I feel really stupid right now. But my issue was the same as @Klervix . I had my token in database and it was getting truncated because JWT is a lot longer than your usual access token that you get from other services like Google or Facebook. I kept on thinking why is everyone talking about JWT when I have a very short token in database.

I experienced this error when keeping the token in a small variable. Make sure to use the complete token (mine finished with ‘…’).

I got this error code when sending the <token> part of the above as bytes rather than a utf-8 decoded string, so maybe check that?

@1terahertz

Does anyone knows the difference between these 2 sets of authentication and authorization endpoints?

OneDrive authentication and sign-in: That’s endpoint is authorizing an application to use a Microsoft account for personal OneDrive. I tried to use it with my Onedrive Business account, it didn’t work. You should follow the authorization process in Authorization and sign-in for OneDrive in Microsoft Graph, it’s supports both personal and business accounts.

I was able to pass in onedrive.appfolder scope to the auth endpoints in the 2nd auth link, Microsoft Graph (i.e. https://login.microsoftonline.com/common/oauth2/v2.0/authorize?client_id={client_id}&scope={scope}&response_type=token&redirect_uri={redirect_uri}) and retrieved an access token too but I would get the abovementioned error when I tried to access Graph API. Was this intended?

The onedrive.appfolder or onedrive.readwrite permission scope when getting an access token is necessary.

You also need to activate the Files.ReadWrite.AppFolder permission on the menu API permissions (Delegated permissions) in your portal Azure app.

Note: If a request is made without the permission(s) (user.read or openid permission scope is important), that error will be returned.

Like TruongDuyIT hinted, the request (acquireToken() / get https://graph.microsoft.com/v1.0/me/drive…) must include the scopes (permissions) for the token to be accepted. For example, if I wanted the drive files (as in the request above), I must send the scope (https://graph.microsoft.com/)Files.Read (or related). But if a request is made without the appropriate permission(s), that error will be returned.

Like TruongDuyIT hinted, the request (acquireToken() / get https://graph.microsoft.com/v1.0/me/drive…) must include the scope(s) (permissions) for the token to be accepted. For example, if I wanted the drive files (as in the request above), I must send the scope (https://graph.microsoft.com/)Files.Read (or related). But if a request is made without the permission(s), that error will be returned.

Hi,

I also had the same problem, in my case I tried to authenticate against microsoft graph api from prowershell using oauth2 and in the headers it indicated this:

$response = Invoke-RestMethod -Method Post -Uri $tokenUrl -Headers @{"Content-Type" = "application/x-www-form-urlencoded"} -Body $body

So it indicated to the destination that the URL was encoded (it had to decode it to read it), but this was not true, I was not coding anything and the client secret had special characters that disappeared when they were decoded. I tried to manually code the client secret through this page and it worked!

Another option is to generate secrets until it does not contain special characters

Hello guys, I was banging my head against the wall with the same issue, but managed to solve it (at least for me!). The issue was with the Authorization header, if the header looks like this: “Bearer: {token}”, I got the error, but if I changed the header to “Bearer {token}” (removed the '😂, it works.