Graph listing appRoleAssignments

Hi there,

I've ran into some problems trying to use appRoleAssignment.

The app in question is a Perl Dancer2 app using an oAuth plugin. After logging in (usually by SSO) I get a session in which I can find the access token. I can use this token just fine (via Perl LWP) to list, i.e., the teams the logged in user is a member of. The session ontains all sorts of information about the user. Logging in seems to work just fine.

But the app should only be used by a certain group of people: members of a certain group/team. So I went ahead and made me an AppRole  of User/Groups type for a certain group. Added the delegated API permission User.ReadBasic.All (even added Directory.Read.All). In fact I tried a whole bunch of permissions

But the GET request to https://graph.microsoft.com/v1.0/users/<my_upn>/appRoleAssignment always return an "Unauthorized" error. The request offcourse has the authorization field containing "Bearer <access_token>". But that should be visible in the response pasted below.

I did notice the warning 'Unsupported authentication scheme \'bearer\'', but the documentation does state to Bearer <accress_token>, did try bearer in lower case.

Where am I going wrong? IMHO this should work, even with Perl LWP.

Below the sanitized respone I get on a request.

$VAR1 = bless( {
'_content' => '{"error":{"code":"InvalidAuthenticationToken","message":"Required claim actortoken not p
resent in token","innerError":{"date":"2023-06-28T12:55:01","request-id":"4b68d403-7d88-4aa6-8dcf-419031d855bd","client-
request-id":"4b68d403-7d88-4aa6-8dcf-419031d855bd"}}}',
'_msg' => 'Unauthorized',
'_headers' => bless( {
'client-ssl-socket-class' => 'IO::Socket::SSL',
'www-authenticate' => 'Bearer realm="", authorization_uri="https://login.microso
ftonline.com/common/oauth2/authorize", client_id="00000003-0000-0000-c000-000000000000"',
'date' => 'Wed, 28 Jun 2023 12:55:00 GMT',
'client-response-num' => 1,
'request-id' => '4b68d403-7d88-4aa6-8dcf-419031d855bd',
'client-peer' => '40.126.32.99:443',
'client-ssl-version' => 'TLSv1_3',
'client-transfer-encoding' => [
'chunked'
],
'client-date' => 'Wed, 28 Jun 2023 12:55:01 GMT',
'content-type' => 'application/json',
'::std_case' => {
'client-transfer-encoding' => 'Client-Transfer-Encoding',
'client-date' => 'Client-Date',
'client-ssl-version' => 'Client-SSL-Version',
'client-peer' => 'Client-Peer',
'request-id' => 'Request-Id',
'client-response-num' => 'Client-Response-Num',
'client-ssl-socket-class' => 'Client-SSL-Socket-Class',
'client-ssl-cert-subject' => 'Client-SSL-Cert-Subject',
'strict-transport-security' => 'Strict-Transport-Security',
'client-ssl-cert-issuer' => 'Client-SSL-Cert-Issuer',
'client-request-id' => 'Client-Request-Id',
'client-warning' => 'Client-Warning',
'client-ssl-cipher' => 'Client-SSL-Cipher',
'x-ms-ags-diagnostic' => 'X-Ms-Ags-Diagnostic'
},
'x-ms-ags-diagnostic' => '{"ServerInfo":{"DataCenter":"West Europe","Slice":"E","Ring":"5","ScaleUnit":"000","RoleInstance":"AM1PEPF000105AA"}}',
'client-ssl-cipher' => 'TLS_AES_256_GCM_SHA384',
'connection' => 'close',
'client-warning' => 'Unsupported authentication scheme \'bearer\'',
'client-request-id' => '4b68d403-7d88-4aa6-8dcf-419031d855bd',
'client-ssl-cert-issuer' => '/C=US/O=DigiCert Inc/CN=DigiCert SHA2 Secure Server CA',
'strict-transport-security' => 'max-age=31536000',
'client-ssl-cert-subject' => '/C=US/ST=Washington/L=Redmond/O=Microsoft Corporation/CN=graph.microsoft.com'
}, 'HTTP::Headers' ),
'_protocol' => 'HTTP/1.1',
'_rc' => 401,
'_request' => bless( {
'_uri' => bless( do{\(my $o = 'https://graph.microsoft.com/v1.0/users/<my_upn>/appRoleAssignments')}, 'URI::https' ),
'_uri_canonical' => $VAR1->{'_request'}{'_uri'},

'_content' => '',
'_method' => 'GET',
'_headers' => bless( {
'authorization' => 'Bearer ey<the rest snipped out>fQ.',
'accept' => '*/*',
'user-agent' => 'curl/7.55.1',
'::std_case' => {
'if-ssl-cert-subject' => 'If-SSL-Cert-Subject'
},
'content-type' => 'application/json'
}, 'HTTP::Headers' )
}, 'HTTP::Request' )
}, 'HTTP::Response' );