Skip to main content

Notifications

Announcements

No record found.

Business Central forum
Suggested answer

OData Access using AAD OAuth Tokens on BC14 OnPrem

Posted on by 37

Hi! 

I'm having an issue accessing a BC14 (CU22) OnPrem OData Webservice via OAuth. 

I have AAD Authentication set up and can log in with AAD Users.

I have registered a second application as the consumer and created a secret to retrieve Tokens, this works fine as well:

curl --location --request POST 'https://login.microsoftonline.com/{{tenantId}}/oauth2/token' \
--header 'Content-Type: application/x-www-form-urlencoded' \
--data-urlencode 'grant_type=client_credentials' \
--data-urlencode 'client_id={{ApiConsumerApplicationId}}' \
--data-urlencode 'client_secret={{ApiConsumerClientSecret}}' \
--data-urlencode 'resource={{BusinessCentralApplicationId}}'

Response:

{
    "token_type": "Bearer",
    "expires_in": "86399",
    "ext_expires_in": "86399",
    "expires_on": "1622970582",
    "not_before": "1622883882",
    "resource": "821ba44a-a427-472e-9cc9-12b89bf42c08",
    "access_token": "eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsIng1dCI6Im5PbzNaRHJPRFhFSzFqS1doWHNsSFJfS1hFZyIsImtpZCI6Im5PbzNaRHJPRFhFSzFqS1doWHNsSFJfS1hFZyJ9.eyJhdWQiOiI4MjFiYTQ0YS1hNDI3LTQ3MmUtOWNjOS0xMmI4OWJmNDJjMDgiLCJpc3MiOiJodHRwczovL3N0cy53aW5kb3dzLm5ldC82YWE0Nzc1NS0wNjY2LTRhN2ItYWVmMy1mZDY2ZTM2ZjlkNDMvIiwiaWF0IjoxNjIyODgzODgyLCJuYmYiOjE2MjI4ODM4ODIsImV4cCI6MTYyMjk3MDU4MiwiYWlvIjoiRTJaZ1lOQk1uT2ZFTGw0aXBOa1VjL3ZXOGYvUEFRPT0iLCJhcHBpZCI6ImY0NTc1OTk0LTYzYmYtNGQxMS1iNGVmLTM5NjQ1MjU3YWMzZCIsImFwcGlkYWNyIjoiMSIsImlkcCI6Imh0dHBzOi8vc3RzLndpbmRvd3MubmV0LzZhYTQ3NzU1LTA2NjYtNGE3Yi1hZWYzLWZkNjZlMzZmOWQ0My8iLCJvaWQiOiI3YTU1YWE2NS03MjJhLTQwYTMtYjM1ZC0xMTA3NDBhMDJhY2QiLCJyaCI6IjAuQVlFQVZYZWthbVlHZTBxdThfMW00Mi1kUTVSWlZfU19ZeEZOdE84NVpGSlhyRDJCQUFBLiIsInJvbGVzIjpbIkZpbmFuY2lhbHMuUmVhZFdyaXRlLkFsbCJdLCJzdWIiOiI3YTU1YWE2NS03MjJhLTQwYTMtYjM1ZC0xMTA3NDBhMDJhY2QiLCJ0aWQiOiI2YWE0Nzc1NS0wNjY2LTRhN2ItYWVmMy1mZDY2ZTM2ZjlkNDMiLCJ1dGkiOiJaWEQtZ0VrNGkwV1NoNWtlcElnRkFBIiwidmVyIjoiMS4wIn0.VLpIJwhivCHAfNuwnF_PTgkfLIXS95twOFkDcXVYcBpL6F0AMFjMWwyrqTRSnvpYvsR2HDz7lWhzL-IvZfafZ1En1NJhyAgpL2pB1yVqqVPPPE_jYbo7mm6JyuxK1iuwj_gH1LmQb8LL3VzrewZDHigW0W57VTG_6M1b24njQv3sNcAU3e7WkCmughbyvXECW89vcPE1twANpLoY-GpYjXQaE923eG3ROf195F5P9aRQeYmBgZ06GVxIvhQcUrriNsURixeAkXZA8zYSsegINinOdy5pIGx3heK5AklLulr5lzwp70uoPDl0gvUFG9y68A1Px4J_elBMiW1fBOnvWw"
}

Here's the issue; when I use the Token to make a request I get the following response (HTTP 500):

{
    "error": {
        "code": "Unknown",
        "message": "IDX10231: Audience validation failed. Delegate returned false, securitytoken: '[PII is hidden]'.  CorrelationId:  54ded16a-9bf6-466a-8300-3adac2b6c614."
    }
}

The Event log (Admin) shows the following message:

Server instance: RELion10_EXTENSIONS_OData_Oauth2
Tenant ID: 
Type: Microsoft.IdentityModel.Tokens.SecurityTokenInvalidAudienceException
InvalidAudience: 821ba44a-a427-472e-9cc9-12b89bf42c08
Message: IDX10231: Audience validation failed. Delegate returned false, securitytoken: '[PII is hidden]'.
StackTrace:
     at Microsoft.IdentityModel.Tokens.Validators.ValidateAudience(IEnumerable`1 audiences, SecurityToken securityToken, TokenValidationParameters validationParameters)
     at System.IdentityModel.Tokens.Jwt.JwtSecurityTokenHandler.ValidateTokenPayload(JwtSecurityToken jwtToken, TokenValidationParameters validationParameters)
     at Microsoft.Dynamics.Nav.Service.NavJwtSecurityTokenFactory.CreateAndValidateWithAudienceList(String serializedToken, FederationMetadataProvider federationMetadataProvider, IEnumerable`1 allowedAudiences, String tokenId, NavDiagnostics diagnostics)
     at Microsoft.Dynamics.Nav.Service.WebServiceBearerAuthenticator.TryAuthenticateUser(String authorizationHeader, Uri requestUrl)
     at Microsoft.Dynamics.Nav.Service.ServiceAuthenticationHelper.AuthenticateForServiceCall(Uri uri, String authorizationValue, Func`3 createException)
     at Microsoft.Dynamics.Nav.Service.OData.V4.HttpRequestMessageExtensions.Authenticate(HttpRequestMessage request)
     at System.Lazy`1.CreateValue()
     at System.Lazy`1.LazyInitValue()
     at Microsoft.Dynamics.Nav.Service.OData.NavServiceEnvironment.EnsureNavAuthentication()
     at Microsoft.Dynamics.Nav.Service.OData.V4.RouteBuilder.GetEdmModelInternal(IServiceProvider serviceProvider)
     at lambda_method(Closure , ServiceProvider )
     at Microsoft.Extensions.DependencyInjection.ServiceProviderServiceExtensions.GetRequiredService(IServiceProvider provider, Type serviceType)
     at Microsoft.Extensions.DependencyInjection.ServiceProviderServiceExtensions.GetRequiredService[T](IServiceProvider provider)
     at Microsoft.AspNet.OData.Routing.DefaultODataPathHandler.Parse(String serviceRoot, String odataPath, IServiceProvider requestContainer, Boolean template)
     at Microsoft.AspNet.OData.Routing.DefaultODataPathHandler.Parse(String serviceRoot, String odataPath, IServiceProvider requestContainer)
     at Microsoft.Dynamics.Nav.Service.OData.V4.PathHandler.Parse(String serviceRoot, String odataPath, IServiceProvider requestContainer)
     at Microsoft.Dynamics.Nav.Service.OData.V4.RouteConstraint.Match(HttpRequestMessage request, IHttpRoute route, String parameterName, IDictionary`2 values, HttpRouteDirection routeDirection)
     at System.Web.Http.Routing.HttpRoute.ProcessConstraint(HttpRequestMessage request, Object constraint, String parameterName, HttpRouteValueDictionary values, HttpRouteDirection routeDirection)
     at System.Web.Http.Routing.HttpRoute.ProcessConstraints(HttpRequestMessage request, HttpRouteValueDictionary values, HttpRouteDirection routeDirection)
     at System.Web.Http.Routing.HttpRoute.GetRouteData(String virtualPathRoot, HttpRequestMessage request)
     at System.Web.Http.HttpRouteCollection.GetRouteData(HttpRequestMessage request)
     at System.Web.Http.Dispatcher.HttpRoutingDispatcher.SendAsync(HttpRequestMessage request, CancellationToken cancellationToken)
     at System.Net.Http.DelegatingHandler.SendAsync(HttpRequestMessage request, CancellationToken cancellationToken)
     at System.Web.Http.HttpServer.d__0.MoveNext()
Source: Microsoft.IdentityModel.Tokens
HResult: -2146233088
StackTrace:
     at Microsoft.IdentityModel.Tokens.Validators.ValidateAudience(IEnumerable`1 audiences, SecurityToken securityToken, TokenValidationParameters validationParameters)
     at System.IdentityModel.Tokens.Jwt.JwtSecurityTokenHandler.ValidateTokenPayload(JwtSecurityToken jwtToken, TokenValidationParameters validationParameters)
     at Microsoft.Dynamics.Nav.Service.NavJwtSecurityTokenFactory.CreateAndValidateWithAudienceList(String serializedToken, FederationMetadataProvider federationMetadataProvider, IEnumerable`1 allowedAudiences, String tokenId, NavDiagnostics diagnostics)
     at Microsoft.Dynamics.Nav.Service.WebServiceBearerAuthenticator.TryAuthenticateUser(String authorizationHeader, Uri requestUrl)
     at Microsoft.Dynamics.Nav.Service.ServiceAuthenticationHelper.AuthenticateForServiceCall(Uri uri, String authorizationValue, Func`3 createException)
     at Microsoft.Dynamics.Nav.Service.OData.V4.HttpRequestMessageExtensions.Authenticate(HttpRequestMessage request)
     at System.Lazy`1.CreateValue()
     at System.Lazy`1.LazyInitValue()
     at Microsoft.Dynamics.Nav.Service.OData.NavServiceEnvironment.EnsureNavAuthentication()
     at Microsoft.Dynamics.Nav.Service.OData.V4.RouteBuilder.GetEdmModelInternal(IServiceProvider serviceProvider)
     at lambda_method(Closure , ServiceProvider )
     at Microsoft.Extensions.DependencyInjection.ServiceProviderServiceExtensions.GetRequiredService(IServiceProvider provider, Type serviceType)
     at Microsoft.Extensions.DependencyInjection.ServiceProviderServiceExtensions.GetRequiredService[T](IServiceProvider provider)
     at Microsoft.AspNet.OData.Routing.DefaultODataPathHandler.Parse(String serviceRoot, String odataPath, IServiceProvider requestContainer, Boolean template)
     at Microsoft.AspNet.OData.Routing.DefaultODataPathHandler.Parse(String serviceRoot, String odataPath, IServiceProvider requestContainer)
     at Microsoft.Dynamics.Nav.Service.OData.V4.PathHandler.Parse(String serviceRoot, String odataPath, IServiceProvider requestContainer)
     at Microsoft.Dynamics.Nav.Service.OData.V4.RouteConstraint.Match(HttpRequestMessage request, IHttpRoute route, String parameterName, IDictionary`2 values, HttpRouteDirection routeDirection)
     at System.Web.Http.Routing.HttpRoute.ProcessConstraint(HttpRequestMessage request, Object constraint, String parameterName, HttpRouteValueDictionary values, HttpRouteDirection routeDirection)
     at System.Web.Http.Routing.HttpRoute.ProcessConstraints(HttpRequestMessage request, HttpRouteValueDictionary values, HttpRouteDirection routeDirection)
     at System.Web.Http.Routing.HttpRoute.GetRouteData(String virtualPathRoot, HttpRequestMessage request)
     at System.Web.Http.HttpRouteCollection.GetRouteData(HttpRequestMessage request)
     at System.Web.Http.Dispatcher.HttpRoutingDispatcher.SendAsync(HttpRequestMessage request, CancellationToken cancellationToken)
     at System.Net.Http.DelegatingHandler.SendAsync(HttpRequestMessage request, CancellationToken cancellationToken)
     at System.Web.Http.HttpServer.d__0.MoveNext()

Event Log (Operational)

Server instance: RELion10_EXTENSIONS_OData_Oauth2
Tenant ID: 
The received security token could be validated but does not give access to Dynamics 365 Business Central.
Token Details : Issuer: https://sts.windows.net/6aa47755-0666-4a7b-aef3-fd66e36f9d43/
Expiry (UTC): 07.06.2021 09:29:10
 TenantId: 6aa47755-0666-4a7b-aef3-fd66e36f9d43
 AppId: f4575994-63bf-4d11-b4ef-39645257ac3d
 IdentityProvider: https://sts.windows.net/6aa47755-0666-4a7b-aef3-fd66e36f9d43/
 Version: 1.0

I am using the Business Central (AAD) Application's Id as the Resource (821ba44a-a427-472e-9cc9-12b89bf42c08).

I also tried using the appIdUrl as the resource, again I can retrieve Tokens just fine. When I use a token like this, I get a different error message (HTTP Status 401):

{
    "error": {
        "code": "Authentication_InvalidCredentials",
        "message": "The server has rejected the client credentials.  CorrelationId:  b08e51a3-7702-4ec0-9c07-6c7eedb39ae4."
    }
}

In this case the event log does not create an entry.

What am I doing wrong? 

I've been at it for hours now, so any help is greatly appreciated

Jakob

Categories:
  • WayneStevens Profile Picture
    WayneStevens 10 on at
    RE: OData Access using AAD OAuth Tokens on BC14 OnPrem

    I had this same problem today with a BC20 on-prem setup - got the SecurityTokenInvalidAudienceException exception trying to use the token. I found this article telling me more than I ever wanted to know about audiences/scopes: https://www.kauffmann.nl/2022/02/23/configuring-business-central-for-azure-active-directory-authentication-and-oauth-2/. I jumped straight to option 2 and configured the instance to allow the "standard" scope:

    Set-NAVServerConfiguration -ServerInstance BC200 -KeyName ValidAudiences -KeyValue "https://api.businesscentral.dynamics.com"
    Restart-NAVServerInstance -ServerInstance BC200

    That solved this issue for me - hope it helps you...

    -Wayne

  • Jakob Theiner Profile Picture
    Jakob Theiner 37 on at
    RE: OData Access using AAD OAuth Tokens on BC14 OnPrem

    Hi Drew!

    No, we didn't get the issue resolved. The ticket was closed since support for Service to Service Authentication has only been added officially for 18.3+ or so. Since most of our customers are still on BC 14 I didn't invest more time. We just use a second server instance with NavUserPassword Authentication via which our APIs can be consumed using basic Auth, the old, not very nice way.

    I hope you'll get that issue resolved though, next year at the latest we'll have to get back to this as well...

    Jakob

  • Drew Gaskin Profile Picture
    Drew Gaskin 5 on at
    RE: OData Access using AAD OAuth Tokens on BC14 OnPrem

    Hi Jakob,

    Wondering if you found the solution for this? We have run into the same problem configuring BC20 from scratch.

    We had the same setup where SSO was configured already for user logins and working successfully.

    We then configured a second azure app registration like you did as the redirect URI was different for the OAUTH connection.

    After troubleshooting the error I found in the event log it was expecting the APP ID of the existing SSO app registration we setup for the user sign in and therefore the a different Azure app reg for OAUTH couldn't be used.

    I then added a second redirect URI to the SSO app registration which matched the OUATH URI your-bc-uri/.../OAuthLanding.htm

    This resolved the problem but now appears the user created in the BC portal for the SSO isn't licensed which I found in the event log of the app server. Did you get to this stage and come across the license error?

    Cheers,

    Drew

  • Suggested answer
    Marco Mels Profile Picture
    Marco Mels on at
    RE: OData Access using AAD OAuth Tokens on BC14 OnPrem

    Hello,

    Glad that you were finally able to get to us. Not good that you spend a lot of hours on it! I would be very frustrated as well! For us at CSS, we do not have any access ID's nor accounts within partner center that fully match all support contracts that are out there, so it is a black box for us as well.

    If you are able to get to a support team using the support entitlements you have access to, you can maybe reference the community posting in the request and name the support staff that provided answers to your question. We can then internally figure it out how to address the request further and it becomes our problem again to assign the right resource to your support request.

    Thanks.

  • Jakob Theiner Profile Picture
    Jakob Theiner 37 on at
    RE: OData Access using AAD OAuth Tokens on BC14 OnPrem

    Hi Benny, thanks for letting me know! I've been googling for quite some time before posting but didn't find the post you mentioned. We also have a case running now, we'll so what comes out of it :)

  • RE: OData Access using AAD OAuth Tokens on BC14 OnPrem

    Hi Jakaob,

    First of al, you're not alone... Jaan also reported this behavior a time ago: community.dynamics.com/.../bc-14-onprem-multitenant-oauth-for-web-services. I have the same issue in a 17.6 On Prem. It has something to do with the scope that you include in the token-generation, but I can't figure out the correct one, nor if we need to create one in the Azure App Registration.

  • Jakob Theiner Profile Picture
    Jakob Theiner 37 on at
    RE: OData Access using AAD OAuth Tokens on BC14 OnPrem

    Hello Marco,

    well yes and no :D

    When I follow the links, I get sent to the power platform support. There I am forced to select a (SaaS) environment, which I don't have since this is a OnPrem issue. Of course I can input some stuff like this, but I don't think, it's the right channel:

    pastedimage1623229156540v2.png

    If I select the above link "If you are a Microsoft partner, request support via the partner center", I get back to the partner center (where I started). Welcome to the infinite loop of "How to open a support request with Microsoft as a Gold Partner". 

    pastedimage1623229829288v4.png

    Now from the Office 365 Admin Center I found business support and it seems very nice, I can select the product and input all my info:

    pastedimage1623230003865v5.png

    This is what I would have liked to see in the first place

    .... But wait, now I have to add a new support subscription?

    pastedimage1623230243156v6.png

    After some digging I found the contract number and access id in partner center, I'm supposed to have 20 incidents and 50hrs of support left:

    pastedimage1623232477298v11.png

    I now felt like I had finally found everything and could send the request, but when I try to add this contract to the support request I get another error message which tells me to either retry at a later time or... contact support ........ What do you think I've been trying to do for the last two hours?

    pastedimage1623232032178v9.png

    I tried typing it, to make sure there are no hidden characters, I tried swapping Access Id and Contract Id (you never know...) - no luck so far.

    pastedimage1623256766981v1.png

    Remind me again, why am I paying gold partner fees?

    I know that you, Marco, personally are not responsible for the mess I'm in and are doing the best you can. And I'm sorry that you are on the receiving end.

    Once more I am frustrated with the Microsoft support experience.

    What can I do to finally open a support ticket using the existing support contract?

    Kind regards,

    Jakob

    PS.: I tried it multiple times today and just now it finally worked!!!

    I'll post my mistake once it's resolved

  • Suggested answer
    Marco Mels Profile Picture
    Marco Mels on at
    RE: OData Access using AAD OAuth Tokens on BC14 OnPrem

    Hello,

    Yes, it is Partner Center. Here is a screenshot of a selection I made:

    pastedimage1623228240221v1.png

    If you continue, you will be asked to logon using your contract details. As an ISV, there should be no problem for you. 

    Thanks.

  • Jakob Theiner Profile Picture
    Jakob Theiner 37 on at
    RE: OData Access using AAD OAuth Tokens on BC14 OnPrem

    Hi Marco,

    thanks for your support.

    The AAD Tenant Id is 6aa47755-0666-4a7b-aef3-fd66e36f9d43

    This is the Business Central manifest:

    [embed:dc8ab71f-3b98-42d9-b0f6-e21e02a0f8e2:2a5fc7b5-8756-438b-9f11-4982c0b01b00:type=json&text=%7B%0D%0A%09%22id%22%3A%20%222094b9ee-6291-4a9f-ad0a-7b6ba48f7764%22%2C%0D%0A%09%22acceptMappedClaims%22%3A%20null%2C%0D%0A%09%22accessTokenAcceptedVersion%22%3A%20null%2C%0D%0A%09%22addIns%22%3A%20%5B%5D%2C%0D%0A%09%22allowPublicClient%22%3A%20true%2C%0D%0A%09%22appId%22%3A%20%22821ba44a-a427-472e-9cc9-12b89bf42c08%22%2C%0D%0A%09%22appRoles%22%3A%20%5B%0D%0A%09%09%7B%0D%0A%09%09%09%22allowedMemberTypes%22%3A%20%5B%0D%0A%09%09%09%09%22User%22%2C%0D%0A%09%09%09%09%22Application%22%0D%0A%09%09%09%5D%2C%0D%0A%09%09%09%22description%22%3A%20%22Ability%20to%20access%20Business%20central%20On%20Prem%22%2C%0D%0A%09%09%09%22displayName%22%3A%20%22Financials%22%2C%0D%0A%09%09%09%22id%22%3A%20%2246c5f6dc-869a-45e1-965f-bb243f245e6d%22%2C%0D%0A%09%09%09%22isEnabled%22%3A%20true%2C%0D%0A%09%09%09%22lang%22%3A%20null%2C%0D%0A%09%09%09%22origin%22%3A%20%22Application%22%2C%0D%0A%09%09%09%22value%22%3A%20%22Financials.ReadWrite.All%22%0D%0A%09%09%7D%0D%0A%09%5D%2C%0D%0A%09%22oauth2AllowUrlPathMatching%22%3A%20false%2C%0D%0A%09%22createdDateTime%22%3A%20%222021-05-07T11%3A01%3A21Z%22%2C%0D%0A%09%22disabledByMicrosoftStatus%22%3A%20null%2C%0D%0A%09%22groupMembershipClaims%22%3A%20null%2C%0D%0A%09%22identifierUris%22%3A%20%5B%0D%0A%09%09%22api%3A%2F%2F821ba44a-a427-472e-9cc9-12b89bf42c08%22%0D%0A%09%5D%2C%0D%0A%09%22informationalUrls%22%3A%20%7B%0D%0A%09%09%22termsOfService%22%3A%20null%2C%0D%0A%09%09%22support%22%3A%20null%2C%0D%0A%09%09%22privacy%22%3A%20null%2C%0D%0A%09%09%22marketing%22%3A%20null%0D%0A%09%7D%2C%0D%0A%09%22keyCredentials%22%3A%20%5B%5D%2C%0D%0A%09%22knownClientApplications%22%3A%20%5B%5D%2C%0D%0A%09%22logoUrl%22%3A%20null%2C%0D%0A%09%22logoutUrl%22%3A%20null%2C%0D%0A%09%22name%22%3A%20%22RELion10%20DP%20Connection%20ServerInstance%22%2C%0D%0A%09%22oauth2AllowIdTokenImplicitFlow%22%3A%20true%2C%0D%0A%09%22oauth2AllowImplicitFlow%22%3A%20true%2C%0D%0A%09%22oauth2Permissions%22%3A%20%5B%5D%2C%0D%0A%09%22oauth2RequirePostResponse%22%3A%20false%2C%0D%0A%09%22optionalClaims%22%3A%20null%2C%0D%0A%09%22orgRestrictions%22%3A%20%5B%5D%2C%0D%0A%09%22parentalControlSettings%22%3A%20%7B%0D%0A%09%09%22countriesBlockedForMinors%22%3A%20%5B%5D%2C%0D%0A%09%09%22legalAgeGroupRule%22%3A%20%22Allow%22%0D%0A%09%7D%2C%0D%0A%09%22passwordCredentials%22%3A%20%5B%5D%2C%0D%0A%09%22preAuthorizedApplications%22%3A%20%5B%5D%2C%0D%0A%09%22publisherDomain%22%3A%20%22reliondev.onmicrosoft.com%22%2C%0D%0A%09%22replyUrlsWithType%22%3A%20%5B%0D%0A%09%09%7B%0D%0A%09%09%09%22url%22%3A%20%22https%3A%2F%2Fxxx%2FSignin%22%2C%0D%0A%09%09%09%22type%22%3A%20%22Web%22%0D%0A%09%09%7D%0D%0A%09%5D%2C%0D%0A%09%22requiredResourceAccess%22%3A%20%5B%0D%0A%09%09%7B%0D%0A%09%09%09%22resourceAppId%22%3A%20%2200000003-0000-0000-c000-000000000000%22%2C%0D%0A%09%09%09%22resourceAccess%22%3A%20%5B%0D%0A%09%09%09%09%7B%0D%0A%09%09%09%09%09%22id%22%3A%20%22e1fe6dd8-ba31-4d61-89e7-88639da4683d%22%2C%0D%0A%09%09%09%09%09%22type%22%3A%20%22Scope%22%0D%0A%09%09%09%09%7D%0D%0A%09%09%09%5D%0D%0A%09%09%7D%0D%0A%09%5D%2C%0D%0A%09%22samlMetadataUrl%22%3A%20null%2C%0D%0A%09%22signInUrl%22%3A%20%22https%3A%2F%2Fxxx%2FSignin%22%2C%0D%0A%09%22signInAudience%22%3A%20%22AzureADMyOrg%22%2C%0D%0A%09%22tags%22%3A%20%5B%5D%2C%0D%0A%09%22tokenEncryptionKeyId%22%3A%20null%0D%0A%7D]

    And here is the consumer's manifest:

    [embed:dc8ab71f-3b98-42d9-b0f6-e21e02a0f8e2:9e44f1c5-c770-483f-a913-c0043d91c12d:type=json&text=%7B%0D%0A%09%22id%22%3A%20%22e32dd418-7106-410a-816d-5fb8d0e44bf2%22%2C%0D%0A%09%22acceptMappedClaims%22%3A%20null%2C%0D%0A%09%22accessTokenAcceptedVersion%22%3A%20null%2C%0D%0A%09%22addIns%22%3A%20%5B%5D%2C%0D%0A%09%22allowPublicClient%22%3A%20null%2C%0D%0A%09%22appId%22%3A%20%22f4575994-63bf-4d11-b4ef-39645257ac3d%22%2C%0D%0A%09%22appRoles%22%3A%20%5B%5D%2C%0D%0A%09%22oauth2AllowUrlPathMatching%22%3A%20false%2C%0D%0A%09%22createdDateTime%22%3A%20%222021-05-07T11%3A09%3A14Z%22%2C%0D%0A%09%22disabledByMicrosoftStatus%22%3A%20null%2C%0D%0A%09%22groupMembershipClaims%22%3A%20null%2C%0D%0A%09%22identifierUris%22%3A%20%5B%5D%2C%0D%0A%09%22informationalUrls%22%3A%20%7B%0D%0A%09%09%22termsOfService%22%3A%20null%2C%0D%0A%09%09%22support%22%3A%20null%2C%0D%0A%09%09%22privacy%22%3A%20null%2C%0D%0A%09%09%22marketing%22%3A%20null%0D%0A%09%7D%2C%0D%0A%09%22keyCredentials%22%3A%20%5B%5D%2C%0D%0A%09%22knownClientApplications%22%3A%20%5B%5D%2C%0D%0A%09%22logoUrl%22%3A%20null%2C%0D%0A%09%22logoutUrl%22%3A%20null%2C%0D%0A%09%22name%22%3A%20%22Digitale%20Plattform%22%2C%0D%0A%09%22oauth2AllowIdTokenImplicitFlow%22%3A%20false%2C%0D%0A%09%22oauth2AllowImplicitFlow%22%3A%20false%2C%0D%0A%09%22oauth2Permissions%22%3A%20%5B%5D%2C%0D%0A%09%22oauth2RequirePostResponse%22%3A%20false%2C%0D%0A%09%22optionalClaims%22%3A%20null%2C%0D%0A%09%22orgRestrictions%22%3A%20%5B%5D%2C%0D%0A%09%22parentalControlSettings%22%3A%20%7B%0D%0A%09%09%22countriesBlockedForMinors%22%3A%20%5B%5D%2C%0D%0A%09%09%22legalAgeGroupRule%22%3A%20%22Allow%22%0D%0A%09%7D%2C%0D%0A%09%22passwordCredentials%22%3A%20%5B%0D%0A%09%09%7B%0D%0A%09%09%09%22customKeyIdentifier%22%3A%20null%2C%0D%0A%09%09%09%22endDate%22%3A%20%222023-06-04T18%3A37%3A35.262Z%22%2C%0D%0A%09%09%09%22keyId%22%3A%20%221fe1a88c-32f4-4e61-aabe-938d59d7b907%22%2C%0D%0A%09%09%09%22startDate%22%3A%20%222021-06-04T18%3A38%3A10.453Z%22%2C%0D%0A%09%09%09%22value%22%3A%20null%2C%0D%0A%09%09%09%22createdOn%22%3A%20%222021-06-04T18%3A38%3A10.87705Z%22%2C%0D%0A%09%09%09%22hint%22%3A%20%22bm_%22%2C%0D%0A%09%09%09%22displayName%22%3A%20%22Access%20by%20Digital%20Platform%20Team%22%0D%0A%09%09%7D%0D%0A%09%5D%2C%0D%0A%09%22preAuthorizedApplications%22%3A%20%5B%5D%2C%0D%0A%09%22publisherDomain%22%3A%20%22reliondev.onmicrosoft.com%22%2C%0D%0A%09%22replyUrlsWithType%22%3A%20%5B%5D%2C%0D%0A%09%22requiredResourceAccess%22%3A%20%5B%0D%0A%09%09%7B%0D%0A%09%09%09%22resourceAppId%22%3A%20%22821ba44a-a427-472e-9cc9-12b89bf42c08%22%2C%0D%0A%09%09%09%22resourceAccess%22%3A%20%5B%0D%0A%09%09%09%09%7B%0D%0A%09%09%09%09%09%22id%22%3A%20%2246c5f6dc-869a-45e1-965f-bb243f245e6d%22%2C%0D%0A%09%09%09%09%09%22type%22%3A%20%22Role%22%0D%0A%09%09%09%09%7D%0D%0A%09%09%09%5D%0D%0A%09%09%7D%2C%0D%0A%09%09%7B%0D%0A%09%09%09%22resourceAppId%22%3A%20%2200000003-0000-0000-c000-000000000000%22%2C%0D%0A%09%09%09%22resourceAccess%22%3A%20%5B%0D%0A%09%09%09%09%7B%0D%0A%09%09%09%09%09%22id%22%3A%20%22e1fe6dd8-ba31-4d61-89e7-88639da4683d%22%2C%0D%0A%09%09%09%09%09%22type%22%3A%20%22Scope%22%0D%0A%09%09%09%09%7D%0D%0A%09%09%09%5D%0D%0A%09%09%7D%0D%0A%09%5D%2C%0D%0A%09%22samlMetadataUrl%22%3A%20null%2C%0D%0A%09%22signInUrl%22%3A%20null%2C%0D%0A%09%22signInAudience%22%3A%20%22AzureADMyOrg%22%2C%0D%0A%09%22tags%22%3A%20%5B%5D%2C%0D%0A%09%22tokenEncryptionKeyId%22%3A%20null%0D%0A%7D]

    I have never worked with fiddler before, but on first glance I don't get more info than I had before.

    This request was made using the Business Central Enterprise Application's Id as the resource:

    [embed:dc8ab71f-3b98-42d9-b0f6-e21e02a0f8e2:4f33c238-4642-4c2d-949e-f8cfcf9e6dca:type=text&text=CONNECT%20xxx%20HTTP%2F1.1%0D%0AUser-Agent%3A%20PostmanRuntime%2F7.28.0%0D%0AAccept%3A%20%2A%2F%2A%0D%0AAccept-Encoding%3A%20gzip%2C%20deflate%2C%20br%0D%0AConnection%3A%20keep-alive%0D%0Ahost%3A%20xxx%0D%0A%0D%0AA%20SSLv3-compatible%20ClientHello%20handshake%20was%20found.%20Fiddler%20extracted%20the%20parameters%20below.%0D%0A%0D%0AVersion%3A%203.3%20%28TLS%2F1.2%29%0D%0ARandom%3A%2062%20BE%20BD%208F%20BD%2079%207B%2019%2039%2069%2084%20BD%2055%2001%20A3%20B7%2059%2002%20B3%20ED%2012%2014%2026%20D0%20C5%20E1%20E2%202B%2058%20EB%201C%20F5%0D%0A%22Time%22%3A%2002.06.2046%2020%3A28%3A50%0D%0ASessionID%3A%2084%20F9%20FF%20C6%2013%2074%2049%207E%2025%20E8%2064%208A%20E3%2069%20CE%200B%2002%20DD%20A9%20CF%2093%20C2%207C%203C%2073%20D0%20BC%208F%20A7%2088%2091%20E3%0D%0AExtensions%3A%20%0D%0A%09server_name%09xxx%0D%0A%09extended_master_secret%09empty%0D%0A%09renegotiation_info%0900%0D%0A%09supported_groups%09x25519%20%5B0x1d%5D%2C%20secp256r1%20%5B0x17%5D%2C%20secp384r1%20%5B0x18%5D%0D%0A%09ec_point_formats%09uncompressed%20%5B0x0%5D%0D%0A%09SessionTicket%09empty%0D%0A%09signature_algs%09ecdsa_secp256r1_sha256%2C%20rsa_pss_rsae_sha256%2C%20rsa_pkcs1_sha256%2C%20ecdsa_secp384r1_sha384%2C%20rsa_pss_rsae_sha384%2C%20rsa_pkcs1_sha384%2C%20rsa_pss_rsae_sha512%2C%20rsa_pkcs1_sha512%2C%20rsa_pkcs1_sha1%0D%0A%09key_share%0900%2024%2000%201D%2000%2020%205C%20CF%2044%2057%20DA%20DA%207F%20DF%20C5%2012%2089%20C2%204D%20BB%209F%2065%2033%20E6%20B9%20A4%2056%20C2%20D8%20D6%20DF%20AF%204C%2005%20EE%204E%207E%200F%0D%0A%09psk_key_exchange_modes%0901%2001%0D%0A%09supported_versions%09Tls1.3%2C%20Tls1.2%2C%20Tls1.1%0D%0A%09padding%09%09244%20null%20bytes%0D%0ACiphers%3A%20%0D%0A%09%5B1301%5D%09TLS_AES_128_GCM_SHA256%0D%0A%09%5B1302%5D%09TLS_AES_256_GCM_SHA384%0D%0A%09%5B1303%5D%09TLS_CHACHA20_POLY1305_SHA256%0D%0A%09%5BC02F%5D%09TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256%0D%0A%09%5BC02B%5D%09TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256%0D%0A%09%5BC030%5D%09TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384%0D%0A%09%5BC02C%5D%09TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384%0D%0A%09%5BCCA9%5D%09TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256%0D%0A%09%5BCCA8%5D%09TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256%0D%0A%09%5BC009%5D%09TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA%0D%0A%09%5BC013%5D%09TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA%0D%0A%09%5BC00A%5D%09TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA%0D%0A%09%5BC014%5D%09TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA%0D%0A%09%5B009C%5D%09TLS_RSA_WITH_AES_128_GCM_SHA256%0D%0A%09%5B009D%5D%09TLS_RSA_WITH_AES_256_GCM_SHA384%0D%0A%09%5B002F%5D%09TLS_RSA_WITH_AES_128_CBC_SHA%0D%0A%09%5B0035%5D%09TLS_RSA_WITH_AES_256_CBC_SHA%0D%0A%09%5B000A%5D%09SSL_RSA_WITH_3DES_EDE_SHA%0D%0A%0D%0ACompression%3A%20%0D%0A%09%5B00%5D%09NO_COMPRESSION%0D%0A%0D%0A%0D%0A%0D%0AHTTP%2F1.1%20200%20Connection%20Established%0D%0AFiddlerGateway%3A%20Direct%0D%0AStartTime%3A%2013%3A18%3A52.292%0D%0AConnection%3A%20close%0D%0A%0D%0AEncrypted%20HTTPS%20traffic%20flows%20through%20this%20CONNECT%20tunnel.%20HTTPS%20Decryption%20is%20enabled%20in%20Fiddler%2C%20so%20decrypted%20sessions%20running%20in%20this%20tunnel%20will%20be%20shown%20in%20the%20Web%20Sessions%20list.%0D%0A%0D%0ASecure%20Protocol%3A%20Tls12%0D%0ACipher%3A%20Aes256%20256bits%0D%0AHash%20Algorithm%3A%20Sha384%20%3Fbits%0D%0AKey%20Exchange%3A%20ECDHE_RSA%20%280xae06%29%20255bits%0D%0A%0D%0A%3D%3D%20Server%20Certificate%20%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%0D%0A%5BSubject%5D%0D%0A%20%20CN%3Dxxx%0D%0A%0D%0A%5BIssuer%5D%0D%0A%20%20CN%3Dxxx%0D%0A%0D%0A%5BSerial%20Number%5D%0D%0A%20%202BC9D64FF386619241FE2FE1F8BFC15E%0D%0A%0D%0A%5BNot%20Before%5D%0D%0A%20%2023.04.2021%2009%3A29%3A10%0D%0A%0D%0A%5BNot%20After%5D%0D%0A%20%2023.04.2026%2009%3A39%3A09%0D%0A%0D%0A%5BThumbprint%5D%0D%0A%20%2007E365952D4FDAC1B11842E606B81DBA45EDFA09%0D%0A%0D%0A%5BSubjectAltNames%5D%0D%0Axxx%0D%0A%0D%0A%0D%0A------------------------------------------------------------------%0D%0AGET%20https%3A%2F%2Fxxx%20HTTP%2F1.1%0D%0AAuthorization%3A%20Bearer%20eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsIng1dCI6Im5PbzNaRHJPRFhFSzFqS1doWHNsSFJfS1hFZyIsImtpZCI6Im5PbzNaRHJPRFhFSzFqS1doWHNsSFJfS1hFZyJ9.eyJhdWQiOiI4MjFiYTQ0YS1hNDI3LTQ3MmUtOWNjOS0xMmI4OWJmNDJjMDgiLCJpc3MiOiJodHRwczovL3N0cy53aW5kb3dzLm5ldC82YWE0Nzc1NS0wNjY2LTRhN2ItYWVmMy1mZDY2ZTM2ZjlkNDMvIiwiaWF0IjoxNjIzMDY0NDEwLCJuYmYiOjE2MjMwNjQ0MTAsImV4cCI6MTYyMzE1MTExMCwiYWlvIjoiRTJaZ1lCRDhZOTYxZUxlL25INm5qZVViMFU5K0FBPT0iLCJhcHBpZCI6ImY0NTc1OTk0LTYzYmYtNGQxMS1iNGVmLTM5NjQ1MjU3YWMzZCIsImFwcGlkYWNyIjoiMSIsImlkcCI6Imh0dHBzOi8vc3RzLndpbmRvd3MubmV0LzZhYTQ3NzU1LTA2NjYtNGE3Yi1hZWYzLWZkNjZlMzZmOWQ0My8iLCJvaWQiOiI3YTU1YWE2NS03MjJhLTQwYTMtYjM1ZC0xMTA3NDBhMDJhY2QiLCJyaCI6IjAuQVlFQVZYZWthbVlHZTBxdThfMW00Mi1kUTVSWlZfU19ZeEZOdE84NVpGSlhyRDJCQUFBLiIsInJvbGVzIjpbIkZpbmFuY2lhbHMuUmVhZFdyaXRlLkFsbCJdLCJzdWIiOiI3YTU1YWE2NS03MjJhLTQwYTMtYjM1ZC0xMTA3NDBhMDJhY2QiLCJ0aWQiOiI2YWE0Nzc1NS0wNjY2LTRhN2ItYWVmMy1mZDY2ZTM2ZjlkNDMiLCJ1dGkiOiJad09zckx1MlBVcV9qY0o1TFI0UUFBIiwidmVyIjoiMS4wIn0.ga0ksK6oDalx7hDznP0Jb43U3y-se1qrmp4opazmsAgL7CmCrzkSjteODDwbydK4DTDudlevMrjd4a3FJVOvXIyxHJnxp1MCuokXBwjTXP8Fd-EQ0nJuej1uSZyPO7pEIJnKYGC3SPQMwfORDLeXdUC4BeSxOySSEpjcZ548jzYdP81rFt2ulAmslNFSMAB5nsb3AnHOSIjqENzhXlOuEsxi67VpCdAifs65MFbs_zjABSZxAEwdJ-BNI55vMvWZkPPkYLbhJy0yKUai4z9fSO58k3gSojXtKOQghyFNXntLPyH82w8Z28ZITzv_M2wyyR35QwWH7wsvYcrhNA4xnw%0D%0AUser-Agent%3A%20PostmanRuntime%2F7.28.0%0D%0AAccept%3A%20%2A%2F%2A%0D%0APostman-Token%3A%2051ad02eb-380a-4e6a-b734-d346622cf7ea%0D%0AHost%3A%20xxx%0D%0AAccept-Encoding%3A%20gzip%2C%20deflate%2C%20br%0D%0AConnection%3A%20keep-alive%0D%0A%0D%0A%0D%0AHTTP%2F1.1%20500%20IDX10231%3A%20Audience%20validation%20failed.%20Delegate%20returned%20false%2C%20securitytoken%3A%20%27%5BPII%20is%20hidden%5D%27.%0D%0ATransfer-Encoding%3A%20chunked%0D%0AContent-Type%3A%20application%2Fjson%3B%20charset%3Dutf-8%0D%0AContent-Encoding%3A%20gzip%0D%0AServer%3A%20Microsoft-HTTPAPI%2F2.0%0D%0AAccess-Control-Allow-Origin%3A%20%2A%0D%0AAccess-Control-Allow-Credentials%3A%20true%0D%0AAccess-Control-Expose-Headers%3A%20Date%2C%20Content-Length%2C%20Server%2C%20OData-Version%0D%0Arequest-id%3A%20e215bd66-2b63-4c42-9e11-cd68fb80a6df%0D%0ADate%3A%20Mon%2C%2007%20Jun%202021%2011%3A18%3A56%20GMT%0D%0A%0D%0Aa%0D%0A%1F%EF%BF%BD%08]

    This request was made using the Business Central Enterprise Application's appIdUri as the resource:

    [embed:dc8ab71f-3b98-42d9-b0f6-e21e02a0f8e2:45e51cc1-2234-4500-9cff-660bee4b2cde:type=text&text=CONNECT%20xxx%20HTTP%2F1.1%0D%0AUser-Agent%3A%20PostmanRuntime%2F7.28.0%0D%0AAccept%3A%20%2A%2F%2A%0D%0AAccept-Encoding%3A%20gzip%2C%20deflate%2C%20br%0D%0AConnection%3A%20keep-alive%0D%0Ahost%3A%20xxx%0D%0A%0D%0AA%20SSLv3-compatible%20ClientHello%20handshake%20was%20found.%20Fiddler%20extracted%20the%20parameters%20below.%0D%0A%0D%0AVersion%3A%203.3%20%28TLS%2F1.2%29%0D%0ARandom%3A%20B9%203C%20E6%201C%2034%20A5%209F%20A7%2047%2033%20D8%20CA%20A8%20F5%204A%20CF%2026%20B0%2091%2082%2014%20B3%2083%20E5%2003%20F0%2076%20B6%2018%209D%2084%20A8%0D%0A%22Time%22%3A%2013.05.1985%2018%3A47%3A53%0D%0ASessionID%3A%20A3%20D0%20FA%209F%204F%2093%2011%2096%2094%2080%20D4%2008%203D%2043%20F1%20CB%207D%201C%20AF%2080%2092%20ED%207F%20DB%20CD%20DB%2010%20D2%20BB%20DF%20A4%2073%0D%0AExtensions%3A%20%0D%0A%09server_name%09xxx%0D%0A%09extended_master_secret%09empty%0D%0A%09renegotiation_info%0900%0D%0A%09supported_groups%09x25519%20%5B0x1d%5D%2C%20secp256r1%20%5B0x17%5D%2C%20secp384r1%20%5B0x18%5D%0D%0A%09ec_point_formats%09uncompressed%20%5B0x0%5D%0D%0A%09SessionTicket%09empty%0D%0A%09signature_algs%09ecdsa_secp256r1_sha256%2C%20rsa_pss_rsae_sha256%2C%20rsa_pkcs1_sha256%2C%20ecdsa_secp384r1_sha384%2C%20rsa_pss_rsae_sha384%2C%20rsa_pkcs1_sha384%2C%20rsa_pss_rsae_sha512%2C%20rsa_pkcs1_sha512%2C%20rsa_pkcs1_sha1%0D%0A%09key_share%0900%2024%2000%201D%2000%2020%204F%2025%20B3%20C4%2014%207C%20E6%204C%205A%2077%2014%2058%20E2%20E7%207B%2057%205C%207F%2073%20D3%20C3%20DF%2046%200E%208A%20F0%2004%20C4%20AC%201F%202D%2034%0D%0A%09psk_key_exchange_modes%0901%2001%0D%0A%09supported_versions%09Tls1.3%2C%20Tls1.2%2C%20Tls1.1%0D%0A%09padding%09%09244%20null%20bytes%0D%0ACiphers%3A%20%0D%0A%09%5B1301%5D%09TLS_AES_128_GCM_SHA256%0D%0A%09%5B1302%5D%09TLS_AES_256_GCM_SHA384%0D%0A%09%5B1303%5D%09TLS_CHACHA20_POLY1305_SHA256%0D%0A%09%5BC02F%5D%09TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256%0D%0A%09%5BC02B%5D%09TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256%0D%0A%09%5BC030%5D%09TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384%0D%0A%09%5BC02C%5D%09TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384%0D%0A%09%5BCCA9%5D%09TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256%0D%0A%09%5BCCA8%5D%09TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256%0D%0A%09%5BC009%5D%09TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA%0D%0A%09%5BC013%5D%09TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA%0D%0A%09%5BC00A%5D%09TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA%0D%0A%09%5BC014%5D%09TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA%0D%0A%09%5B009C%5D%09TLS_RSA_WITH_AES_128_GCM_SHA256%0D%0A%09%5B009D%5D%09TLS_RSA_WITH_AES_256_GCM_SHA384%0D%0A%09%5B002F%5D%09TLS_RSA_WITH_AES_128_CBC_SHA%0D%0A%09%5B0035%5D%09TLS_RSA_WITH_AES_256_CBC_SHA%0D%0A%09%5B000A%5D%09SSL_RSA_WITH_3DES_EDE_SHA%0D%0A%0D%0ACompression%3A%20%0D%0A%09%5B00%5D%09NO_COMPRESSION%0D%0A%0D%0A%0D%0A%0D%0AHTTP%2F1.1%20200%20Connection%20Established%0D%0AFiddlerGateway%3A%20Direct%0D%0AStartTime%3A%2013%3A22%3A48.682%0D%0AConnection%3A%20close%0D%0A%0D%0AEncrypted%20HTTPS%20traffic%20flows%20through%20this%20CONNECT%20tunnel.%20HTTPS%20Decryption%20is%20enabled%20in%20Fiddler%2C%20so%20decrypted%20sessions%20running%20in%20this%20tunnel%20will%20be%20shown%20in%20the%20Web%20Sessions%20list.%0D%0A%0D%0ASecure%20Protocol%3A%20Tls12%0D%0ACipher%3A%20Aes256%20256bits%0D%0AHash%20Algorithm%3A%20Sha384%20%3Fbits%0D%0AKey%20Exchange%3A%20ECDHE_RSA%20%280xae06%29%20255bits%0D%0A%0D%0A%3D%3D%20Server%20Certificate%20%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%0D%0A%5BSubject%5D%0D%0A%20%20CN%3Dxxx%0D%0A%0D%0A%5BIssuer%5D%0D%0A%20%20CN%3Dxxx%0D%0A%0D%0A%5BSerial%20Number%5D%0D%0A%20%202BC9D64FF386619241FE2FE1F8BFC15E%0D%0A%0D%0A%5BNot%20Before%5D%0D%0A%20%2023.04.2021%2009%3A29%3A10%0D%0A%0D%0A%5BNot%20After%5D%0D%0A%20%2023.04.2026%2009%3A39%3A09%0D%0A%0D%0A%5BThumbprint%5D%0D%0A%20%2007E365952D4FDAC1B11842E606B81DBA45EDFA09%0D%0A%0D%0A%5BSubjectAltNames%5D%0D%0Axxx%0D%0A%0D%0A%0D%0A------------------------------------------------------------------%0D%0AGET%20https%3A%2F%2Fxxx%2Fxxx%2FCompany%28xxx%27%29%2FCustomers%20HTTP%2F1.1%0D%0AAuthorization%3A%20Bearer%20eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsIng1dCI6Im5PbzNaRHJPRFhFSzFqS1doWHNsSFJfS1hFZyIsImtpZCI6Im5PbzNaRHJPRFhFSzFqS1doWHNsSFJfS1hFZyJ9.eyJhdWQiOiJodHRwczovL21uenJlbGF1YXAwMi5hZC5hYXJlb24uY29tOjQ0MzMvUkVMaW9uMTBfRVhURU5TSU9OU19PRGF0YV9PYXV0aDIiLCJpc3MiOiJodHRwczovL3N0cy53aW5kb3dzLm5ldC82YWE0Nzc1NS0wNjY2LTRhN2ItYWVmMy1mZDY2ZTM2ZjlkNDMvIiwiaWF0IjoxNjIzMDY0NjU4LCJuYmYiOjE2MjMwNjQ2NTgsImV4cCI6MTYyMzE1MTM1OCwiYWlvIjoiRTJaZ1lManBlV2pDeWlidmlNKzNKbnhPL2lzNkNRQT0iLCJhcHBpZCI6ImY0NTc1OTk0LTYzYmYtNGQxMS1iNGVmLTM5NjQ1MjU3YWMzZCIsImFwcGlkYWNyIjoiMSIsImlkcCI6Imh0dHBzOi8vc3RzLndpbmRvd3MubmV0LzZhYTQ3NzU1LTA2NjYtNGE3Yi1hZWYzLWZkNjZlMzZmOWQ0My8iLCJvaWQiOiI3YTU1YWE2NS03MjJhLTQwYTMtYjM1ZC0xMTA3NDBhMDJhY2QiLCJyaCI6IjAuQVlFQVZYZWthbVlHZTBxdThfMW00Mi1kUTVSWlZfU19ZeEZOdE84NVpGSlhyRDJCQUFBLiIsInJvbGVzIjpbIkZpbmFuY2lhbHMuUmVhZFdyaXRlLkFsbCJdLCJzdWIiOiI3YTU1YWE2NS03MjJhLTQwYTMtYjM1ZC0xMTA3NDBhMDJhY2QiLCJ0aWQiOiI2YWE0Nzc1NS0wNjY2LTRhN2ItYWVmMy1mZDY2ZTM2ZjlkNDMiLCJ1dGkiOiJBTEVyb09HZjdFdUpjQUZCU25sc0FBIiwidmVyIjoiMS4wIn0.gTq44dkrZ3oW7SZaoqm9-k4Iulw9xFzuNVJ839kWo1Cgf-CUbqbbRATgvBjcV3aOu78koGvPNgznz6h0dAe-PNwXHi7ThEIF-nBtCGMcX46DbBIjmhMBeGvICckC2T1nofiFvne5I3ZuSBq9MwQNDML9XEFk-tsFHb2OcHHZvxg6cFUlBgLhcdZf1VO9kqEkb0aiHL75Fji_jk7wCBMg1wDNwY1K9CmBLULf8mIeAYXnpPWF5Zs4t2DKKzmkwjORuOPi8ut6uZrAQa8gMfmSQ87sjgqyZTpalQI5DCUetgjZfMv2zcDrc7nXxOAZUcx66eENgaWQYMwi-Q543oeaPQ%0D%0AUser-Agent%3A%20PostmanRuntime%2F7.28.0%0D%0AAccept%3A%20%2A%2F%2A%0D%0APostman-Token%3A%2063da876e-152e-463e-913a-76ab54d912f0%0D%0AHost%3A%20xxx%0D%0AAccept-Encoding%3A%20gzip%2C%20deflate%2C%20br%0D%0AConnection%3A%20keep-alive%0D%0A%0D%0A%0D%0AHTTP%2F1.1%20401%20The%20server%20has%20rejected%20the%20client%20credentials.%0D%0ATransfer-Encoding%3A%20chunked%0D%0AContent-Type%3A%20application%2Fjson%3B%20charset%3Dutf-8%0D%0AContent-Encoding%3A%20gzip%0D%0AServer%3A%20Microsoft-HTTPAPI%2F2.0%0D%0AAccess-Control-Allow-Origin%3A%20%2A%0D%0AAccess-Control-Allow-Credentials%3A%20true%0D%0AAccess-Control-Expose-Headers%3A%20Date%2C%20Content-Length%2C%20Server%2C%20OData-Version%0D%0Arequest-id%3A%2097bead39-42e5-4197-93fd-0af71efe60b8%0D%0ADate%3A%20Mon%2C%2007%20Jun%202021%2011%3A22%3A48%20GMT%0D%0A%0D%0Aa%0D%0A%1F%EF%BF%BD%08]

    I work for an ISV in Germany, how would I go about opening a support case? Is Partner Center also the right choice? If so, what's the correct "problem type"? I get a massive list, but nothing that's really technical imho:

    pastedimage1623065541850v1.png

    Thanks again, I'm looking forward to hearing from you.

    Kind regards,

    Jakob

  • Marco Mels Profile Picture
    Marco Mels on at
    RE: OData Access using AAD OAuth Tokens on BC14 OnPrem

    Hello,

    A possible hint to troubleshoot this further is to analyze a Fiddler trace? If you want Microsoft to look at this, we would need the Azure AD app manifest files.

    Thanks.

Helpful resources

Quick Links

Replay now available! Dynamics 365 Community Call (CRM Edition)

Catch up on the first D365 Community Call held on 7/10

Community Spotlight of the Month

Kudos to Saurav Dhyani!

Congratulations to the June Top 10 community leaders!

These stars go above and beyond . . .

Leaderboard

#1
André Arnaud de Calavon Profile Picture

André Arnaud de Cal... 288,513 Super User

#2
Martin Dráb Profile Picture

Martin Dráb 225,862 Super User

#3
nmaenpaa Profile Picture

nmaenpaa 101,148

Leaderboard

Featured topics

Product updates

Dynamics 365 release plans