Pnp-powershell: New-PnPSite Unable to decode the header '[PII is hidden]' as Base64Url encoded string

Created on 9 Sep 2019  路  12Comments  路  Source: pnp/PnP-PowerShell

Reporting an Issue or Missing Feature

Issue

Expected behavior

New Communication / Team site to be created

Actual behavior

An error is thrown with the following message. Works on other tenant. Seems like it might be related to security ??

Used to work on the environment

New-PnpSite : IDX12729: Unable to decode the header '[PII is hidden]' as Base64Url encoded string. 
jwtEncodedString: '[PII is hidden]'.
At C:\dev\kappa\Scripts\Initialize-HubSites.ps1:22 char:9
+         New-PnpSite -Type CommunicationSite
+         ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : WriteError: (:) [New-PnPSite], ArgumentException
    + FullyQualifiedErrorId : EXCEPTION,SharePointPnP.PowerShell.Commands.NewSite

Steps to reproduce behavior

1) Connect to sharepoint environment using the Connect-PnPOnline "https://tenant-admin.sharepoint.com"

2) Try creating a new PnPSite using the following:

New-PnpSite -Type CommunicationSite -Title "TEST TITLE" -Description "TEST DESCRIPTION" -Url "https://tenant.sharepoint.com/sites/testsite"

Which version of the PnP-PowerShell Cmdlets are you using?

  • [ ] PnP PowerShell for SharePoint 2013
  • [ ] PnP PowerShell for SharePoint 2016
  • [ x] PnP PowerShell for SharePoint Online

What is the version of the Cmdlet module you are running?

3.13.1909

How did you install the PnP-PowerShell Cmdlets?

  • [ ] MSI Installed downloaded from GitHub
  • [ x] Installed through the PowerShell Gallery with Install-Module
  • [ ] Other means
Needs

All 12 comments

Thank you for reporting this issue. We will be triaging your incoming issue as soon as possible.

I get the same error message with apply-pnpprovisioningtemplate. This is all over my console in debug-mode:

powershell.exe Warning: 0 : 2019-09-11 18:05:40.8977    [OfficeDevPnP.Core]     [0]     [Information]   Could not determine lease for appOnlyAccessToken. Error = System.ArgumentException: IDX12729: Unable to decode the header '[PII is hidden]' as Base64Url encoded string. jwtEncodedString: '[PII is hidden]'. ---> System.TypeInitializationException: Typeinitialiseringen for System.IdentityModel.Tokens.Jwt.JsonExtensions for氓rsaket et unntak. ---> System.IO.FileNotFoundException: Could not load file or assembly 'Newtonsoft.Json, Version=10.0.0.0, Culture=neutral, PublicKeyToken=30ad4fe6b2a6aeed' or one of its dependencies. Systemet finner ikke angitt fil.
   ved System.IdentityModel.Tokens.Jwt.JsonExtensions..cctor()
   --- Slutten p氓 sporingen av intern unntaksstakk ---
   ved System.IdentityModel.Tokens.Jwt.JsonExtensions.DeserializeJwtHeader(String jsonString)
   ved System.IdentityModel.Tokens.Jwt.JwtSecurityToken.Decode(String[] tokenParts, String rawData)
   --- Slutten p氓 sporingen av intern unntaksstakk ---
   ved System.IdentityModel.Tokens.Jwt.JwtSecurityToken.Decode(String[] tokenParts, String rawData)
   ved OfficeDevPnP.Core.AuthenticationManager.<>c__DisplayClass32_1.<EnsureAzureADCredentialsToken>b__1(Object obj)    0ms

This same issue appears in Pnp Core as well, looks like PnP Core, and thus PnPPS is using Newton.JSON version 11.0.1 while possibly System.IdentityModel.Tokens.Jwt.JsonExtensions is looking for Newton.JSON 10.0.0 still. @erwinvanhunen

I am getting this error message simply trying to run Connect-PnPOnline. This is my code:

$clientId = "[hidden]"
$tenantId = "[hidden]"
$clientSecret = '[hidden]'

$uri = "https://login.microsoftonline.com/$tenantId/oauth2/v2.0/token"

$body = @{
    client_id     = $clientId
    scope         = "https://graph.microsoft.com/.default"
    client_secret = $clientSecret
    grant_type    = "client_credentials"
}

$tokenRequest = Invoke-WebRequest -Method Post -Uri $uri -ContentType "application/x-www-form-urlencoded" -Body $body -UseBasicParsing


$token = ($tokenRequest.Content | ConvertFrom-Json).access_token

$session = Connect-PnPOnline -AccessToken $token

For the community, we found a work around this issue by using the UseWebLogin switch. The exact cause of the problem is still blurry but has been tracked down to the security scheme of the tenant that uses MFA and is behind Okta.

I can confirm that this is also not working with the latest version (3.15.1911.0)

Getting the same error:

image

My sample to reproduce this:

# Define AppId, secret and scope, your tenant name and endpoint URL
$AppId = "<appid>"
$AppSecret = '<appsecret'
$Scope = "https://graph.microsoft.com/.default"
$TenantName = "<tenant>.onmicrosoft.com"

$Url = "https://login.microsoftonline.com/$TenantName/oauth2/v2.0/token"

# Add System.Web for urlencode
Add-Type -AssemblyName System.Web

# Create body
$Body = @{
    client_id = $AppId
    client_secret = $AppSecret
    scope = $Scope
    grant_type = 'client_credentials'
}

# Splat the parameters for Invoke-Restmethod for cleaner code
$PostSplat = @{
    ContentType = 'application/x-www-form-urlencoded'
    Method = 'POST'
    # Create string by joining bodylist with '&'
    Body = $Body
    Uri = $Url
}

# Request the token!
$Request = Invoke-RestMethod @PostSplat

Connect-PnPOnline -AccessToken $Request.access_token -Url "https://<tenant>-admin.sharepoint.com"

I'm also getting this issue on a particular tenant when using Apply-PnPTenantTemplate

Just discovered this same issue, using Office 365 CLI accesstoken get command to generate a token and pass into Connect-PnPOnline

$token = o365 accesstoken get -r https://tenant.sharepoint.com --new
Connect-PnPOnline -Url https://tenant.sharepoint.com -AccessToken $token
Connect-PnPOnline : IDX12729: Unable to decode the header '[PII is hidden]' as Base64Url encoded string. jwtEncodedString: '[PII is hidden]'.
At line:1 char:1
+ Connect-PnPOnline -Url https://lundhill.sharepoint.com -AccessToken $ ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [Connect-PnPOnline], ArgumentException
    + FullyQualifiedErrorId : System.ArgumentException,SharePointPnP.PowerShell.Commands.Base.ConnectOnline

Access token used can be decoded using https://jwt.io/

This is the message from the inner exception while debugging it

Could not load file or assembly 'Newtonsoft.Json, Version=10.0.0.0, Culture=neutral, PublicKeyToken=30ad4fe6b2a6aeed' or one of its dependencies. The system cannot find the file specified.

Callstack of the (most) inner exception:

at System.IdentityModel.Tokens.Jwt.JsonExtensions..cctor()

Hi,
I just did a few tests using both Graph token and certificate token without an issue. Is it still not working? @zapftho @tarjeieo @garrytrinder

Trying to figure out if it was a PnP or service issue.

@wobba just tested using 3.17.2001.2 and I don't get the error anymore...

image

I know we had some newtonsoft dll issues, but don't recall exactly when we fixed them, but good to see it working and I'll close this one for now.

Was this page helpful?
0 / 5 - 0 ratings