Related
[FINAL UPDATE]
Fixed per this thread: https://github.com/docusign/docusign-esign-node-client/issues/295
Apparently related to security additions made to DocuSign's API.
I haven't encountered this issue before today. I gave a demo to a client just last week and the same code was working fine. Today I get the following:
{
"status": 444,
"response": {
"req": {
"method": "GET",
"url": "https://demo.docusign.net/restapi...",
"data": {},
"headers": {
"user-agent": "node-superagent/3.8.2",
"x-docusign-sdk": "Node",
"authorization": "Bearer ABC...",
"content-type": "application/json",
"accept": "application/json"
}
},
"header": {
"content-type": "text/html",
"x-docusign-tracetoken": "2eeb8caa-8865-4898-bef9-d3611bfaa3f7",
"x-docusign-node": "DA2DFE5",
"date": "Fri, 17 Jun 2022 01:02:02 GMT",
"content-length": "54",
"connection": "close",
"strict-transport-security": "max-age=31536000; includeSubDomains"
},
"status": 444,
"text": "The custom error module does not recognize this error."
}
}
Through the node SDK I fetch a token using requestJWTUserToken, and set the apiclient's auth header, then I new-up an EnvelopesAPI instance. When I make a call to getEnvelope() or listStatusChanges(), then I get the error above. None of this code has changed in months, and I'm using the same integration key, account, private key, everything. I've demo'd it all a few times now - no issues.
An interesting observation: the error above gives me a URL and token. The token is valid, and if I make a request to the URL (the envelopes endpoint) via Postman using said token, then the request succeeds. So my calls through the SDK seem to be failing for some reason.
I can't seem to crack this one, and now I can't get around it given a couple demo systems that worked just last week.
I'm using the docusign-esign 5.17 module - upgraded from 5.15 in an attempt to fix the issue. No luck.
Where is this error coming from?
[Update 1]
I'm running my node app that is making requests through the DocuSign Node SDK against a proxy so I can see what the failing request actually look like:
They fail the same way.
HTTP/1.1 444
Content-Type: text/html
X-DocuSign-TraceToken: 338534c6-c8c3-4b01-9b66-35d697cd0053
X-DocuSign-Node: DA1DFE4
Date: Fri, 17 Jun 2022 03:55:07 GMT
Content-Length: 54
Vary: Accept-Encoding
Connection: close
Strict-Transport-Security: max-age=31536000; includeSubDomains
The custom error module does not recognize this error.
I'm using Proxyman to catch the request, and like Chrome or Firefox it will let you copy a request as a cURL command. If I copy the failing request as cURL, then run in at the terminal, it succeeds.
[MacBookPro0020]~/source/docusign/jwt-smoke-test:0 (master)
$ curl 'https://demo.docusign.net/restapi/v2.1/accounts/a0a4c81f-.../envelopes?envelope_ids=e750526f-...&envelope_ids=a38b794b...&envelope_ids=a5d8c586-...' \
-H 'Host: demo.docusign.net' \
-H 'User-Agent: node-superagent/3.8.2' \
-H 'X-DocuSign-SDK: Node' \
-H 'Node-Ver: v14.18.3' \
-H 'Authorization: Bearer ABCD...' \
-H 'Accept: application/json' \
-H 'Connection: close' \
-H 'Content-Type: application/json' \
--proxy http://localhost:9090
{"resultSetSize":"1","startPosition":"0","endPosition":"0","totalSetSize":"1","nextUri":"","previousUri":"","envelopes":[{"status":"created","documentsUri":"/envelopes/d97565c8...purgeState":"unpurged","envelopeIdStamping":"true","autoNavigation":"true","isSignatureProviderEnvelope":"false","allowComments":"true","anySigner":null,"envelopeLocation":"current_site"}]}
I'm using a JWT auth token, so again, I'm getting a valid token. Calls through the SDK consistently fail, but cURL'ing and manually requesting through Postman both succeed.
I'm at a loss.
Additional details: I see this same issue on MacOS and Windows (i.e., node app hosting docusign-esign). I'm using auth code grant to send envelopes and query envelope statuses and that works fine. I've used JWT Grant without issue up until this week (just demo'd automated functionality last week and it worked.) I haven't made any code changes to my DocuSign functionality, nor have my colleagues, at least according to the repo's history.
I don't recall ever encountering the error above before. I'd love to know why cURL'ing the same request succeeds. I'd rather not ditch the SDK and roll my own requests, but it wouldn't be difficult.
[Update 2]
Here's a simple repro - it's a quick and dirty copy of the QuickStart demo project for the node SDK. I'm using only docusign-esign.
Exact. same. issue.
Again, I can take that token and drop it into cURL or postman and the request will succeed. There's not a lot of code here. The token is valid.
async function main() {
// Data used
// dsConfig.dsClientId
// dsConfig.impersonatedUserGuid
// dsConfig.privateKey
// dsConfig.dsOauthServer
let dsConfig = dsConfig_customer; // defined globally
const jwtLifeSec = 10 * 60, // requested lifetime for the JWT is 10 min
dsApi = new docusign.ApiClient();
dsApi.setOAuthBasePath(dsConfig.dsOauthServer.replace('https://', '')); // it should be domain only.
const results = await dsApi.requestJWTUserToken(dsConfig.dsClientId,
dsConfig.impersonatedUserGuid, 'signature impersonation', dsConfig.privateKey,
jwtLifeSec);
console.log( results.body.access_token );
const userInfo = await dsApi.getUserInfo(results.body.access_token);
dsApi.setBasePath(userInfo.accounts[0].baseUri + '/restapi');
dsApi.addDefaultHeader( 'Authorization', 'Bearer ' + results.body.access_token );
const envelopesAPI = new docusign.EnvelopesApi(dsApi);
const res = await envelopesAPI.getEnvelope( dsConfig.accountID, 'e1917111-2900-48e8-9054-799169379c8a', null );
console.log(res);
return {
accessToken: results.body.access_token,
tokenExpirationTimestamp: expiresAt,
userInfo,
account: userInfo.accounts[0]
};
}
main().then(result => console.log(result)).catch(err=>console.error(err));
...
header: {
'content-type': 'text/html',
'x-docusign-tracetoken': '685b6226-a0d3-4547-94c7-df0216d884a3',
'x-docusign-node': 'DA2DFE188',
date: 'Fri, 17 Jun 2022 05:20:12 GMT',
'content-length': '54',
vary: 'Accept-Encoding',
connection: 'close',
'strict-transport-security': 'max-age=31536000; includeSubDomains'
},
statusCode: 444,
status: 444,
statusType: 4,
info: false,
ok: false,
redirect: false,
clientError: true,
serverError: false,
error: Error: cannot GET /restapi/v2.1/accounts/49754554-ABCD-.../envelopes/e1917111-2900-48e8-9054-799169379c8a (444)
...
I finally manage to resolve the issue by downgrading my Docusign SDK NodeJS version from 5.15.0 to 5.7.0 in my package.json file.
An issue relative to this can be find there, I really hope this issue will be resolved anytime soon.
Edit :
The Docusign support actually took action on this (the github's issue from above is now closed), it might be interesting to test again with the latest version of Docusign SDK NodeJS (or the one you were using previously).
I'm creating a simple Lambda function to serve a POST in AWS Gateway:
import json
import boto3
from datetime import datetime
def lambda_handler(event,context):
wf = event['WF']
if wf == 'start1':
body = 'Suceeded'
return {
"isBase64Encoded": False,
'statusCode': 200,
'body': json.dumps(body),
'headers': {
'Content-Type': 'application/json'
}
}
else:
body = 'Failed'
return {
"isBase64Encoded": False,
'statusCode': 400,
'body': json.dumps(body),
'headers': {
'Content-Type': 'application/json'
}
}
If I send a POST with this body is successful:
{
"WF": "start1",
"Context": "OK"
}
Returns:
Test Event Name
test
Response
{
"isBase64Encoded": false,
"statusCode": 200,
"body": "\"Suceeded\"",
"headers": {
"Content-Type": "application/json"
}
}
Function Logs
START RequestId: 91663a9d-d8b6-4aad-b8b6-eb2f15ff0354 Version: $LATEST
END RequestId: 91663a9d-d8b6-4aad-b8b6-eb2f15ff0354
REPORT RequestId: 91663a9d-d8b6-4aad-b8b6-eb2f15ff0354 Duration: 1.74 ms Billed Duration: 2 ms Memory Size: 128 MB Max Memory Used: 66 MB Init Duration: 300.73 ms
Request ID
91663a9d-d8b6-4aad-b8b6-eb2f15ff0354
But if I run a test in the API Gateway service in AWS I get:
Fri Jun 04 13:45:22 UTC 2021 : Sending request to https://XXXXXXX
Fri Jun 04 13:45:22 UTC 2021 : Received response. Status: 200, Integration latency: 15 ms
Fri Jun 04 13:45:22 UTC 2021 : Endpoint response headers: {Date=Fri, 04 Jun 2021 13:45:22 GMT, Content-Type=application/json, Content-Length=159, Connection=keep-alive, x-amzn-RequestId=d479fdac-6737-42fa-96a3-9e991056b48d, X-Amz-Function-Error=Unhandled, x-amzn-Remapped-Content-Length=0, X-Amz-Executed-Version=$LATEST, X-Amzn-Trace-Id=root=1-60ba2e72-ff62f051febbd21d6cc9d114;sampled=0}
Fri Jun 04 13:45:22 UTC 2021 : Endpoint response body before transformations: {"errorMessage": "'WF'", "errorType": "KeyError", "stackTrace": [" File \"/var/task/lambda_function.py\", line 7, in lambda_handler\n wf = event['WF']\n"]}
Fri Jun 04 13:45:22 UTC 2021 : Lambda execution failed with status 200 due to customer function error: 'WF'. Lambda request id: d479fdac-6737-42fa-96a3-9e991056b48d
Fri Jun 04 13:45:22 UTC 2021 : Method completed with status: 502
Why line 7 is wrong?
Is there another way to parse the body of the POST?
The solution was found by disabling Lambda Proxy Integration in the POST - Integration Request.
It looks like your API Gateway invocation is not populating the event parameter of your Lambda function. When you create a test event your lambda function's page, you get to create your own test event. API Gateway will not use this test event, it will instead send an empty event (probably null).
I.e.
import json
import boto3
from datetime import datetime
def lambda_handler(event,context): # Event is null here
wf = event['WF'] # Attempting to read the attribute 'WF' of null results in an error
In my instance, I had received this error when invoking my Lambda function via API gateway, it was also completely fine when invoking directly the lambda function expecting a simple JSON body.
my expected payload:
{"Email": "foo3#foo.com"}
It turns out Lambda Proxy Integration in the POST in the configuration API gateway changes the payload structure before passing into Lambda, and I was getting the error missing Key attribute Email. I noticed that line Endpoint request body after transformations: in cloudwatch. I learned that it was changing the payload.
How I debug this:
Invoke Lambda using test events ensuring the both the error scenario and success scenarios are working.
Ensure there are no permission issues via API gateway by making sure that your API gateway can invoke the Lambda and have appropriate IAM roles/policies
Ensure your lambda has the API gateway as the trigger
I tried removing all the security token first via API gateway to verify I am able to invoke the API
I tried both HTTP methods POST And GET, seeing the same error (Email was missing) was the key to figuring this out as I was already passing the payload in the request body in the POST method.
I discovered that axios is returning a string instead of a valid json.
headers:Object {date: "Tue, 02 Jun 2020 08:44:06 GMT", server: "Apache", connection: "close", …}
connection:"close"
content-type:"text/html; charset=UTF-8"
date:"Tue, 02 Jun 2020 08:44:06 GMT"
server:"Apache"
transfer-encoding:"chunked"
how do I change the content-type to application/json in NestJs application?
I tried this but didnt not work
const meterInfo = await this.httpService.get(url, { headers: { "Content-Type": "application/json" } }).toPromise();
Here is the invalid json returned.
"{"status":"00","message":"OK","access_token":"2347682423567","customer":{"name":"John Doe","address":"Mr. John Doe 34 Tokai, leaflet. 7999.","util":"Demo Utility","minimumAmount":"13897"},"response_hash":"c43c9d74480f340f55156f6r5c56487v8w"}"
Instead of sending a Content-Type header, you should send an Accept header with the same MIME type. This tells the server what you are expecting to receive, and if Content Negotiation is set up properly, it will allow you to get a JSON back instead of that weird string.
this.httpService.get(
url,
{
headers: {
'Accept': 'application/json',
},
},
).toPromise();
If that doesn't work, you'll need to provide your own serializer to take the string from that wonky format to JSON, or get in touch with the server admins and see if they can provide you better documentation about how to consume their API.
We have
created Azure Active Directory
created a new Application
registered the new Application in Azure AD
given ALL the permissions to the API
granted admin permissions
Now we login with this app credentials
We get authorization:
GET /1111111-aaaa-4fd3-bf32-9bfc460f67b1/oauth2/v2.0/authorize HTTP/1.1
Host: login.microsoftonline.com
cache-control: no-cache
Postman-Token: 111111-aaaa-4696-9828-9110670706c5
We get the token:
POST /11111111-aaaa-4fd3-bf32-9bfc460f67b1/oauth2/v2.0/token HTTP/1.1
Host: login.microsoftonline.com
Content-Type: application/x-www-form-urlencoded
cache-control: no-cache
Postman-Token: 11111111-aaaa-47e4-b2fb-6b94cd02312a
client_id=11111111-aaaa-482e-ab17-86e4c2c6240c
scope=https%3A%2F%2Fgraph.microsoft.com%2F.default
client_secret=aaaaaaaaaaaDJk6jBJ%2FuBRJM6AFxyFIDMKn867hmvU%3D
grant_type=client_credentials
The token analyzed with jwt.io:
{
"aud": "https://graph.microsoft.com",
"iss": "https://sts.windows.net/1111111-ccc6-4fd3-bf32-9bfc460f67b1/",
"iat": 1541603660,
"nbf": 1541603660,
"exp": 1541607560,
"aio": "42RgYFB+/Gyh8uF3yl+uKU7km//kFwA=",
"app_displayname": "ToDoListService",
"appid": "1111111-4e99-482e-ab17-86e4c2c6240c",
"appidacr": "1",
"idp": "https://sts.windows.net/1111111-ccc6-4fd3-bf32-9bfc460f67b1/",
"oid": "1111111-98fb-4a47-af7f-d3800dde2f7b",
"roles": [
"Chat.UpdatePolicyViolation.All",
"Calls.JoinGroupCall.All",
"EduRoster.Read.All",
"OnlineMeetings.Read.All",
"Mail.ReadWrite",
"OnlineMeetings.ReadWrite.All",
"Device.ReadWrite.All",
"User.ReadWrite.All",
"Domain.ReadWrite.All",
"Application.ReadWrite.OwnedBy",
"SecurityEvents.Read.All",
"Calendars.Read",
"EduAssignments.ReadWrite.All",
"People.Read.All",
"Application.ReadWrite.All",
"Calls.InitiateGroupCall.All",
"Group.Read.All",
"Directory.ReadWrite.All",
"EduAssignments.ReadWriteBasic.All",
"MailboxSettings.Read",
"EduAdministration.Read.All",
"Calls.JoinGroupCallAsGuest.All",
"Sites.Read.All",
"Sites.ReadWrite.All",
"Contacts.ReadWrite",
"Group.ReadWrite.All",
"Sites.Manage.All",
"SecurityEvents.ReadWrite.All",
"Notes.Read.All",
"User.Invite.All",
"EduRoster.ReadWrite.All",
"Files.ReadWrite.All",
"Directory.Read.All",
"User.Read.All",
"EduAssignments.ReadBasic.All",
"EduRoster.ReadBasic.All",
"Files.Read.All",
"Mail.Read",
"Chat.Read.All",
"ChannelMessage.Read.All",
"EduAssignments.Read.All",
"Calendars.ReadWrite",
"identityriskyuser.read.all",
"EduAdministration.ReadWrite.All",
"Mail.Send",
"ChannelMessage.UpdatePolicyViolation.All",
"MailboxSettings.ReadWrite",
"Contacts.Read",
"IdentityRiskEvent.Read.All",
"AuditLog.Read.All",
"Member.Read.Hidden",
"Calls.AccessMedia.All",
"Sites.FullControl.All",
"Reports.Read.All",
"Calls.Initiate.All",
"Notes.ReadWrite.All"
],
"sub": "1111111-98fb-4a47-af7f-d3800dde2f7b",
"tid": "1111111-ccc6-4fd3-bf32-9bfc460f67b1",
"uti": "hxPwbjRRm0y6SI8hxuckAA",
"ver": "1.0",
"xms_tcdt": 1541414851
}
You can see that we get all the necesary permissions.
And this petition works:
https://graph.microsoft.com/v1.0/Users/
or
https://graph.microsoft.com/beta/Users/
but not this one:
https://graph.microsoft.com/beta/Users/<user-id>/Calendars
nor this one:
https://graph.microsoft.com/beta/users/<user-id>/sendMail
they both return 401:
{
"error": {
"code": "UnknownError",
"message": "",
"innerError": {
"request-id": "019ddc83-6528-4f19-95cc-8b99ea53a046",
"date": "2018-11-07T16:03:55"
}
}
}
I think that we had got all the necessary permission, configuration... etc... so why isn't it working? :'(
[UPDATE]
detailed call to get calendars
GET /v1.0/Users/<user-id>/Calendars HTTP/1.1
cache-control: no-cache
Postman-Token: xxxxxxxxxxxxxxxxxxxxxxx
Authorization: Bearer xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
User-Agent: PostmanRuntime/7.3.0
Accept: */*
Host: graph.microsoft.com
accept-encoding: gzip, deflate
Connection: close
Response
HTTP/1.1 401 Unauthorized
Cache-Control: private
Transfer-Encoding: chunked
Content-Type: application/json
request-id: 11111111-aaaa-aaaa-a115-e09bb6f09917
client-request-id: 11111111-aaaa-aaaa-a115-e09bb6f09917
x-ms-ags-diagnostic: {"ServerInfo":{"DataCenter":"North Europe","Slice":"SliceC","Ring":"3","ScaleUnit":"001","Host":"AGSFE_IN_34","ADSiteName":"NEU"}}
Duration: 377.0084
Strict-Transport-Security: max-age=31536000
Date: Thu, 08 Nov 2018 09:16:03 GMT
Connection: close
c6
{
"error": {
"code": "UnknownError",
"message": "",
"innerError": {
"request-id": "2bb9a7c1-f8a3-4c1f-a115-e09bb6f09917",
"date": "2018-11-08T09:16:04"
}
}
}
0
let me start by first of all noticing that you have posted a client secret on a public forum :) And one that has luxurious permission on your tenant. I hope you have changed the client secret by now.
But to get back to your question - I will have to ask a bit more in detail to get a better understanding of what your actual results were:
According to your JWT printout you are getting a V1 token but using the client credential flow (the field "ver" is set to 1.0). The Microsoft Documentation here Get access without a user explicitly states that you should use a V2 Token to access Microsoft Graph in this scenario. So the first question is: Did you create your Azure App using the V2 Portal: https://apps.dev.microsoft.com/ ? If not then this may be the issue.
A more common issue when manually testing - Have you made sure that the token had not expired from the time you got it from the /token endpoint up to the time you tested your API call?
If none of the above - please post your request to the https://graph.microsoft.com/beta/Users//Calendars endpoint in detail, the devil may be in the details
I am trying to download the content of a onedrive item via the microsoft api. However, no matter the method I use, I get 404 responses. Here is a reproduction of the problem in python/requests
import requests
import json
root_url = "https://graph.microsoft.com"
base_path = "/v1.0/<tenant_id>/users/<principal_name>/drive/"
token = "ALONGTOKEN"
headers = {"Authorization": "Bearer %s" % token}
r = requests.get(root_url + base_path + "/root/children", headers=headers)
listing = json.loads(r.text)
target = listing["value"][0]
print("Target node:")
print(json.dumps(target))
print("Target node id:")
print(target["id"])
r = requests.get(root_url + base_path + "items/" + target["id"], headers=headers)
print("Target metadata:")
print(r.text)
resp = json.loads(r.text)
download_url = resp["#microsoft.graph.downloadUrl"]
print("Target download url:")
print(download_url)
r = requests.get(download_url, headers=headers)
print("Download response code:")
print(r.status_code)
print("Download response headers:")
print(r.headers)
print("Download response cookies:")
print(r.cookies)
print("Download response redirect history:")
print(r.history)
outputs the following:
Target node:
{"parentReference": {"driveId": "drive_id", "path": "/drive/root:", "id": "parent_id"}, "cTag": "\"c:{tag},1\"", "lastModifiedDateTime": "2016-08-24T17:32:45Z", "name": "birds.png", "createdDateTime": "2016-08-24T17:32:45Z", "image": {}, "webUrl": "https://org-my.sharepoint.com/personal/principal_name/Documents/birds.png", "lastModifiedBy": {"user": {"displayName": "User Name", "id": "user_id"}}, "eTag": "\"{etag},1\"", "createdBy": {"user": {"displayName": "User Name", "id": "user_id"}}, "#microsoft.graph.downloadUrl": "https://org-my.sharepoint.com/personal/principal_name/_layouts/15/download.aspx?guestaccesstoken=access_token&docid=did&expiration=2016-09-01T17%3a12%3a14.000Z&userid=uid&authurl=True&NeverAuth=True", "file": {"hashes": {}}, "id": "01L4SXJGJ2LR2PGPKJMVGZPHIADCAYJEFE", "size": 34038}
Target node id:
01L4SXJGJ2LR2PGPKJMVGZPHIADCAYJEFE
Target metadata:
{"#odata.context":"https://graph.microsoft.com/v1.0/$metadata#users('principal_name')/drive/items/$entity","#microsoft.graph.downloadUrl":"https://org-my.sharepoint.com/personal/principal_name/_layouts/15/download.aspx?guestaccesstoken=accesstoken&docid=docid&expiration=2016-09-01T17%3a12%3a15.000Z&userid=uid&authurl=True&NeverAuth=True","createdBy":{"user":{"id":"user_id","displayName":"User Name"}},"createdDateTime":"2016-08-24T17:32:45Z","eTag":"\"{etag},1\"","id":"01L4SXJGJ2LR2PGPKJMVGZPHIADCAYJEFE","lastModifiedBy":{"user":{"id":"user_id","displayName":"User Name"}},"lastModifiedDateTime":"2016-08-24T17:32:45Z","name":"birds.png","webUrl":"https://org-my.sharepoint.com/personal/principal_name/Documents/birds.png","cTag":"\"c:{ctag},1\"","file":{"hashes":{}},"image":{},"parentReference":{"driveId":"drive_id","id":"parent_id","path":"/drive/root:"},"size":34038}
Target download url:
https://org-my.sharepoint.com/personal/principal_name/_layouts/15/download.aspx?guestaccesstoken=accesstoken&docid=docid&expiration=2016-09-01T17%3a12%3a15.000Z&userid=uid&authurl=True&NeverAuth=True
Download response code:
404
Download response headers:
{'Content-Length': '13702', 'SPIisLatency': '4', 'X-Content-Type-Options': 'nosniff', 'X-AspNet-Version': '4.0.30319', 'request-id': '288b9f9d-c04a-2000-133b-ebab2f6f332b', 'Strict-Transport-Security': 'max-age=31536000', 'MicrosoftSharePointTeamServices': '16.0.0.5625', 'X-Powered-By': 'ASP.NET', 'SPRequestGuid': '288b9f9d-c04a-2000-133b-ebab2f6f332b', 'Server': 'Microsoft-IIS/8.5', 'X-MS-InvokeApp': '1; RequireReadOnly', 'X-SharePointHealthScore': '0', 'SPRequestDuration': '297', 'SharePointError': '0', 'Cache-Control': 'private', 'Date': 'Thu, 01 Sep 2016 16:12:14 GMT', 'P3P': 'CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI"', 'Content-Type': 'text/html; charset=utf-8'}
Download response cookies:
<RequestsCookieJar[]>
Download response redirect history:
[]
Which is to say that immediately following the link results in a 404, though it is supposed to download the file bytes. I have reproduced this in java, python, bash/curl, and in the browser. Can anybody help point out what I am doing wrong, or is this a problem with the microsoft graph api?
EDIT:
I can also reproduce the same 404 using the /drive/items/{item-id}/content endpoint described here. The request to this endpoint results in a 302 redirect (as described in the documentation), which, when followed, results in the same 404 behavior as described above.
EDIT2:
Here are all the request-ids I could find in the response headers that looked useful for debugging from Microsoft's side.
For the 200 request on the item object: 'request-id': 'adfa3492-4825-439d-8e59-022f32e78244', 'client-request-id': 'adfa3492-4825-439d-8e59-022f32e78244'
For the 404 request on the download url: 'request-id': '33e09e9d-b0c2-2000-133c-304585c15000', 'SPRequestGuid': '33e09e9d-b0c2-2000-133c-304585c15000',
Additionally, the actual HTML returned from the 404 includes Correlation ID: a8e09e9d-a0bb-2000-133b-ef6fc8ac7015
File download is currently only supported with delegated permissions (e.g. File.Read scope) as documented here. Your request was made with application permissions Files.Read.All and Files.ReadWrite.All, which we're gradually adding support for, but they're not yet fully functional and are not listed here.
Can you check that item_id is in fact the ID of an item? If you are working off the collection returned by GET /v1.0/users//drive/items/, the collection will return an array of folder and item metadata. If you try your request against a folder, you will get the 404 as you've described. That's the only way that I can repro your issue. If that is not the issue, please provide the request/response trace so that we can see the error details.