问题
How to generate access_token for grant_type password in Azure AD for MS graph api
I have use followed these two links to generate access_token password grant_type
- https://dzone.com/articles/getting-access-token-for-microsoft-graph-using-oau-2?preview=true
- https://docs.microsoft.com/en-us/azure/active-directory-b2c/configure-ropc?tabs=app-reg-ga
used below curl request
curl --location --request POST 'https://login.microsoftonline.com/910f-90d18b56a170/oauth2/token' --header 'Content-Type: application/x-www-form-urlencoded' --data-urlencode 'client_id=4b5d-bde6-0b1a09b84a5f' --data-urlencode 'client_secret=q4720z4z_6N8CU-c7qEwx2a' --data-urlencode 'grant_type=password' --data-urlencode 'username=xxxx@yyyy.onmicrosoft.com' --data-urlencode 'password=xxxxxxx' --data-urlencode 'resource=https://graph.microsoft.com' --data-urlencode 'scope=openid'
Below is the response
{
"error": "invalid_grant",
"error_description": "AADSTS50126: Error validating credentials due to invalid username or password.\r\nTrace ID: 21fdd138-0bc6-49bd-8852-c7a6a3a1e600\r\nCorrelation ID: a1010714-38f6-4926-a135-568adcdada26\r\nTimestamp: 2020-12-15 16:44:37Z",
"error_codes": [
50126
],
"timestamp": "2020-12-15 16:44:37Z",
"trace_id": "21fdd138-0bc6-49bd-8852-c7a6a3a1e600",
"correlation_id": "a1010714-38f6-4926-a135-568adcdada26",
"error_uri": "https://login.microsoftonline.com/error?code=50126"
}
I don't know why response suggests that my credentials are in-valid even-though i'm passing right creds.
Could somebody help over here.
Thanks & regards
回答1:
Facing the same issue when I run the below query with wrong credentials
After providing the right credentials to below curl operations able to get token
curl -X POST -d "client_id=clientid&scope=user.read&grant_type=password&username=username &password=password&resource=https://graph.microsoft.com " https://login.microsoftonline.com/tenantid/oauth2/token
Note :Microsoft recommends you do not use the ROPC flow. In most scenarios, more secure alternatives are available and recommended. This flow requires a very high degree of trust in the application, and carries risks which are not present in other flows. You should only use this flow when other more secure flows can't be used.
回答2:
Yes i was able to resolve this error with below curl request. Also had to use utf character code for special symbols in my password from this link "https://www.utf8-chartable.de/" while running the command from linux terminal, though it wasn't required for getting token via Postman
curl -X POST -d "client_id=3621485b0bf-6384-4b5d-bde6-0b1a09b84a5f&client_secret=145236op-54782314l-c7qEwx2a-U_T_-7-43n&scope=user.read&grant_type=password&username=johndoe@yyyy.onmicrosoft.com&password=Prince%244321&resource=https://graph.microsoft.com" https://login.microsoftonline.com/7452369-45217-4208-910f-90d18b56a170/oauth2/token
# below is the Response
{
"token_type": "Bearer",
"scope": "ChannelMessage.Send Group.Read.All Group.ReadWrite.All Mail.Read offline_access openid profile User.Read",
"expires_in": "3599",
"ext_expires_in": "3599",
"expires_on": "1608079489",
"not_before": "1608075589",
"resource": "https://graph.microsoft.com",
"access_token": "eyJ0eXAiOiJKV1QiLCJub25jZSI6Ijl3NVBGbUpfQ1NsNjhhVHJ6dFJjVXZ0c1NaWm5nckFLS3JoQmFSbY2ZTgtNDUzMC04NzhhLTg4MjBmNDJlZjQ3NiIsInBsYXRmIjoiMTQiLCJwdWlkIjoiMTAwMzIwMDEwM0M4MkJDNSIsInJoIjoiMC5BQUFBSWZocjZPcldFRVdQLTN4b2JHUlg4aHBadjJQSDRmVkpoNlBMc2RFSGF6dFRBRG8uIiwic2NwIjoiQ2hhbm5lbE1lc3NhZ2UuU2VuZCBHcm91cC5SZWFkLkFsbCBHcm91cC5SZWFkV3Jp-OlzPDtk0GTG9o5AGLcTVv6VEVOFWF2TEylgdXnTX5A4Iue7Le8OcUtFa33of_11uvZuhEcxTzY_ANEz-R5TFhZJlxeeyw",
"refresh_token": "0.AAAAIfhr6OrWEEWP-3xobGRX8hpZv2PH4fVJh6PLsdEHaztTADo.GSfVElYY1X0hIwKK3JBkMHTamjwx9uEDeV9U8nPbEBe7w64JdaexMVJMyBeNFZOOrAda7wDGCUJq_1gv9J0k3X3QYsJafyOeuDtDckks9tLzHbD4ZJWAxN0Dnw-OaO4Tq95sa7-wozkCwC5ZWfTdeDjp6qb92SEKtQSl8YUCe340f1y_DuL6C2yMQARfgSPCTuuVz2TqMm8MjM46m4_WSz7ATK_UfzcHyywsBVYpxfgOzAA2eShbCqjMZbvab0moyvmo",
"id_token": "eyJ0eXAiOiJKV1QiLCJhbGciOiJub25lIn0.eyJhdWQiOiI2M2JmNTkxYS1lMWM3LTQ5ZjUtODdhMy1jYmIxZDEwNzZiM2IiLCJpc3MiOiJodHRwczovLuMCJ9."
}
To achieve my desired results, i had to create a new user in Azure-AD and use those creds.
For someodd reason my creds for admin/main user for Azure-Portal were throwing this error "Error validating credentials due to invalid username or password" eventhough that user exists in users list.
来源:https://stackoverflow.com/questions/65310207/how-to-generate-access-token-for-grant-type-password-in-azure-ad-for-ms-graph-ap