从oauth2/token使用电子邮件地址和应用密码获取访问令牌 [英] Getting access token using email address and app password from oauth2/token

问题描述

我们正在对Active Directory下的电子邮件地址使用强制性的两因素身份验证.

We are using compulsory two factor authentication for our email addresses under our Active Directory.

我有一个需要服务帐户的应用程序，因此我们为该服务帐户创建了应用程序密码.我们使用以下端点获取访问令牌-

I have an app that requires a service account, so we created app password for that service account. We acquire access token using following end point -

https://login.windows.net/{tenant_id}/oauth2/token

它对于没有两个因素身份验证和普通密码的凭据效果很好，但不适用于具有两个因素auth和 app密码

It works perfectly fine for credentials without two factor authentication and normal password but not for accounts with two factor auth and app password

如果我们输入应用密码，则会返回此错误-

If we enter app password it returns this error -

AADSTS70002:验证凭据时出错. AADSTS50126:无效的用户名或密码

AADSTS70002: Error validating credentials. AADSTS50126: Invalid username or password

我如何使其正常工作?

推荐答案

您似乎正在尝试使用资源所有者密码凭据授予，即

It looks like you are trying to use the Resource Owner Password Credentials Grant, which is in general not recommended (it doesn't support MFA among other things) Instead of using that flow, see if the client credential flow (where you can use an application ID + secret or certificate) fits your needs

对于CRM Online，它确实支持"应用程序用户".您可以使用机密或证书在AAD中声明该应用程序.然后，转到CRM Online，并添加具有自定义安全角色的应用程序用户".

In the case of CRM Online, it does support the concept of "application user". You declare the application in AAD with a secret or a certificate. Then you go to CRM Online and add that "application user" with a custom security role.

然后，您可以使用像这样的代码来访问CRM Web服务.

Then you can use code like this to access CRM web services.

add-type -path "Microsoft.IdentityModel.Clients.ActiveDirectory.dll"
add-type -path "Microsoft.Xrm.Sdk.dll"
$resourceAppIdURI = "https://ORG.crm2.dynamics.com"
$authority = "https://login.windows.net/TENANT.onmicrosoft.com" 
$credential=New-Object Microsoft.IdentityModel.Clients.ActiveDirectory.ClientCredential("b1d83e4e-bc77-4919-8791-5408746265c1","<SECRET>")
$authContext = New-Object "Microsoft.IdentityModel.Clients.ActiveDirectory.AuthenticationContext" -ArgumentList $authority,$false
$authResult = $authContext.AcquireToken($resourceAppIdURI, $credential)
$sdkService=new-object Microsoft.Xrm.Sdk.WebServiceClient.OrganizationWebProxyClient("https://ORG.crm2.dynamics.com/xrmservices/2011/organization.svc/web?SdkClientVersion=8.2",$false)
$sdkService.HeaderToken=$authResult.accesstoken
$OrganizationRequest=new-object Microsoft.Xrm.Sdk.OrganizationRequest
$OrganizationRequest.RequestName="WhoAmI"
$sdkService.Execute($OrganizationRequest)

这篇关于从oauth2/token使用电子邮件地址和应用密码获取访问令牌的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！