Reputation: 1
Microsoft identity platform and OAuth 2.0 Resource Owner Password Credentials facing problem
curl --location 'https://login.microsoftonline.com/tentId/oauth2/v2.0/token' \
--header 'Content-Type: application/x-www-form-urlencoded' \
--data-urlencode 'client_id=xxxxxxxxx' \
--data-urlencode 'scope=User.Read profile openid email' \
--data-urlencode 'grant_type=password' \
--data-urlencode 'username=ravindra1437_outlook.com#EXT#@ravinavyamullamurioutlook.onmicrosoft.com'\
--data-urlencode 'password=xxxxxxxxxxxx' \
--data-urlencode 'client_secret=xxxxxxxxxx'
Hi Team, I have facing using the above curl based call i am passing coreect username and password but facing below issue.
{ "error": "invalid_grant", "error_description": "AADSTS50126: Error validating credentials due to invalid username or password.\r\nTrace ID: bb4dd885-c0a7-4985-8d95-45c520710800\r\nCorrelation ID: 7eb0748c-6450-462d-8cd5-c48cd869d59c\r\nTimestamp: 2023-04-20 04:07:49Z", "error_codes": [ 50126 ], "timestamp": "2023-04-20 04:07:49Z", "trace_id": "bb4dd885-c0a7-4985-8d95-45c520710800", "correlation_id": "7eb0748c-6450-462d-8cd5-c48cd869d59c", "error_uri": "https://login.microsoftonline.com/error?code=50126" }
Upvotes: 0
Views: 455
Answers (1)
Reputation: 22307
As mentioned in this MS Documentation,
The Microsoft identity platform only supports the ROPC grant within Azure AD tenants, not personal accounts. Personal accounts that are invited to an Azure AD tenant can't use the ROPC flow.
I registered one Azure AD application and added same API permissions as below:
When I ran the curl command by importing it in Postman, I got same error as I used external user credentials like below:
curl --location 'https://login.microsoftonline.com/<tenantID>/oauth2/v2.0/token' \
--header 'Content-Type: application/x-www-form-urlencoded' \
--data-urlencode 'client_id=<appID>' \
--data-urlencode 'scope=User.Read profile openid email' \
--data-urlencode 'grant_type=password' \
--data-urlencode 'username=demouser_gmail.com#EXT#@xxxxxxxxx.onmicrosoft.com
--data-urlencode 'password=xxxxxxxxxxxx' \
--data-urlencode 'client_secret=xxxxxxxxxx'
Response:
To resolve the error, you need to change username and password with local Azure AD user credentials like below:
curl --location 'https://login.microsoftonline.com/<tenantID>/oauth2/v2.0/token' \
--header 'Content-Type: application/x-www-form-urlencoded' \
--data-urlencode 'client_id=<appID>' \
--data-urlencode 'scope=User.Read profile openid email' \
--data-urlencode 'grant_type=password' \
--data-urlencode '[email protected]
--data-urlencode 'password=xxxxxxxxxxxx' \
--data-urlencode 'client_secret=xxxxxxxxxx'
Response:
When I decoded the above token in jwt.ms, I got scp claim with added permissions successfully like below:
Upvotes: 0
Related Questions
- DataBricks Spark Delta Table Authentication Issues on Azure DataFactory
- Error while fetching refresh token from Azure AD
- Not able to get Azure AD token in C#
- HTTP Connector in Microsoft Power Automate - Login against Azure AD app registration on behalf of user not working
- JMeter Performance testing is failing at OAuth2 authorization - Token expired
- In botframework-sdk all of a sudden my bot started to get this error Error: Get Token request returned http error: 401
- Azure AD- Resource owner credential flow error Invalid username or password