SQL Server How to call MS Graph via sp_invoke_external_rest_endpoint with a large access token?

nom7f22z  于 2023-08-02  发布在  其他
关注(0)|答案(1)|浏览(89)

I'm using sp_invoke_external_rest_endpoint in T-SQL to call Microsoft Graph endpoints. This is one of the use cases that Microsoft advertises. The headers parameter of sp_invoke_external_rest_endpoint is an nvarchar(4000) so you are limited to 4000 characters. How do you call MS Graph when you have an access token that is larger than that?

I've implemented sp_invoke_external_rest_endpoint in two different environments and in one of them the access token was short enough (around 3400 characters) to fit but in the other it's over 4000 characters.

eqoofvh9

eqoofvh91#

This is a temporary answer until sp_invoke_external_rest_endpoint is improved or someone discovers something new.

sp_invoke_external_rest_endpoint headers are limited to 4000 characters. Scoped credential secrets are also limited to 4000 characters. So you can't use either if your access token is greater than 4000 characters.

User managed identities don't seem to work either. You just get audience/scope errors.

So until Microsoft increases the limit on the size of the headers and the secrets, or explains how to get managed identities to work here, one solution is to ruthlessly trim down the permissions you've granted to whatever you're using to get the access token. (Probably an AD application) I was able to trim my access token by over 1000 characters by removing unnecessary permissions. Once you make the change, wait about 5 or 10 minutes for it to propagate and take full effect.

相关问题