问题
I am trying to hit a post request to "https://login.microsoftonline.com/<My_Tenat_Id>/oauth2/token" from my Java Code, but I am getting the error "invalid_grant: AADSTS50126: Error validating credentials due to invalid username or password". I have verified the credentials and they are correct(I am able to login to Azure portal and see my AWS APP for SSO). I even tried hitting the same request from postman, but then also same issue.
The parameters I have passed are: "grant_type", "password" "requested_token_type","urn:ietf:params:oauth:token-type:saml2" "username", username "password", password "client_secret", clientSecret "client_id", clientId "resource", clientId
I have even checked various Microsoft Documentations but I am still not able to resolve the issue. Can anybody tell what might be the issue. is the API call wrong or the server setup is wrong.
Please note:-Initially my API call was working, but then I got an error invalid_request: AADSTS80014 then it automatically got resolved and I started getting invalid_grant: AADSTS50126 . Has anybody faced this issue or knows how to fix this. Thanks!
回答1:
I am able to resolve this by creating a cloud only user. The reason a federated user fails with the Resource Owner Password Grant flow is because for a federated user Azure AD has to redirect the user to the specific federation Server that belongs to the user's on-prem domain so that the ADFS server can get the auth down with the local domain controller. In Resource Owner Password grant flow this redirect is not possible hence it is not able to validate the username and password and hence that error.
As a suggestion, we can create a new cloud only user whose username and password should reside in Azure AD, so that when using Resource Owner password Grant flow we submit the user's credentials, AAD can authenticate the user without any redirections.
This user can be a normal user in AAD and the respective delegated permissions should be present in the app registration. Now one more thing to make sure is, if the delegated permission that we are providing needs admin consent then before the user logs in to the application, the admin has to provide the admin consent to this delegated permission. If we want to the user to provide his/her own consent (if the delegated permission needs user consent) then we would have to somehow provide the user consent before going ahead with the Resource Owner Password Grant Flow.
来源:https://stackoverflow.com/questions/65199330/invalid-grant-aadsts50126-error-validating-credentials-due-to-invalid-username