[v2] Connect-MgGraph throws IDX12729 error when using auth access tokens obtained using ROPC

[peombwa]

Connect-MgGraph throws IDX12729 error when using auth access tokens obtained using Resource Owner Password Credentials (ROPC) grant type.

Repro Steps:

1. Acquire an access token using username and password.

Connect-MgGraph -AccessToken $ROPCAuthToken

2. Inspect error throw

Connect-MgGraph : IDX12729: Unable to decode the header '[PII is hidden. For more details, see https://aka.ms/IdentityModel/PII.]' as Base64Url encoded string. jwtEncodedString: '[PII is hidden. For more details, see https://aka.ms/IdentityModel/PII.]'.

➜ $Error[0].Exception

Message        : IDX12729: Unable to decode the header '[PII is hidden. For more details, see https://aka.ms/IdentityModel/PII.]' as Base64Url encoded string. jwtEncodedString: '[PII is hidden. For more details, see https://aka.ms/IdentityModel/PII.]'.
ParamName      :
TargetSite     : Void MoveNext()
Data           : {}
InnerException : Newtonsoft.Json.JsonReaderException: Unexpected character encountered while parsing value: K. Path '', line 0, position 0.
                    at Newtonsoft.Json.JsonTextReader.ParseValue()
                    at Newtonsoft.Json.JsonReader.ReadForType(JsonContract contract, Boolean hasConverter)
                    at Newtonsoft.Json.Serialization.JsonSerializerInternalReader.Deserialize(JsonReader reader, Type objectType, Boolean checkAdditionalContent)
                    at Newtonsoft.Json.JsonSerializer.DeserializeInternal(JsonReader reader, Type objectType)
                    at Newtonsoft.Json.JsonConvert.DeserializeObject(String value, Type type, JsonSerializerSettings settings)
                    at System.IdentityModel.Tokens.Jwt.JsonExtensions.DeserializeJwtHeader(String jsonString)
                    at System.IdentityModel.Tokens.Jwt.JwtHeader.Base64UrlDeserialize(String base64UrlEncodedJsonString)
                    at System.IdentityModel.Tokens.Jwt.JwtSecurityToken.Decode(String[] tokenParts, String rawData)
HelpLink       :
Source         : Microsoft.Graph.Authentication
HResult        : -2147024809
StackTrace     :    at Microsoft.Graph.PowerShell.Authentication.Cmdlets.ConnectMgGraph.ProcessRecordAsync()

Workaround

Use other grant types. ROPC grant type is discouraged for prod apps.

Microsoft recommends you do not use the ROPC flow. In most scenarios, more secure alternatives are available and recommended. This flow requires a very high degree of trust in the application, and carries risks that are not present in other flows. You should only use this flow when other more secure flows aren't viable.

[peombwa]

Closing as fixed by https://github.com/microsoftgraph/msgraph-sdk-powershell/releases/tag/2.0.0-preview6