invalid_grant:AADSTS50126:由于无效的用户名或密码，导致验证凭据出错 [英] invalid_grant: AADSTS50126: Error validating credentials due to invalid username or password

问题描述

我正在尝试从Java代码中发出对 https://login.microsoftonline.com/<My_Tenant_Id>/oauth2/token 的发布请求，但出现错误"invalid_grant:AADSTS50126:由于无效的用户名或密码，验证凭据时出错"..我已经验证了凭据并且它们是正确的(我能够登录到Azure门户并查看我的AWS SSO应用).我什至尝试过邮递员提出的相同要求，但又遇到了同样的问题.

我传递的参数是:

 "grant_type"，"password""requested_token_type"，"urn:ietf:params:oauth:token-type:saml2"用户名"，用户名密码"，密码"client_secret"，clientSecret"client_id"，clientId资源"，clientId 

我什至检查了各种Microsoft文档，但仍然无法解决问题.任何人都可以说出问题所在.是API调用错误还是服务器设置错误.

请注意:最初我的API调用正在运行，但随后出现错误 invalid_request:AADSTS80014 ，然后它自动解决，并且我开始获取 invalid_grant:AADSTS50126 .是否有人遇到此问题或知道如何解决此问题.谢谢！

解决方案

我能够通过创建仅云用户来解决此问题.联盟用户无法通过资源所有者密码授予"流失败的原因是，对于联盟用户，Azure AD必须将用户重定向到属于用户本地域的特定联盟服务器，以便ADFS服务器可以获取身份验证与本地域控制器.在资源所有者密码"授予流中，这种重定向是不可能的，因此无法验证用户名和密码，从而导致该错误.

作为建议，我们可以创建一个新的仅云用户，其用户名和密码应驻留在Azure AD中，以便在使用资源所有者密码授予流时，我们提交用户的凭据，AAD可以对用户进行身份验证而无需任何重定向./p>

此用户可以是AAD中的普通用户，并且相应的委派权限应出现在应用程序注册中.现在要确保的另一件事是，如果我们提供的委托权限需要管理员同意，那么在用户登录到应用程序之前，管理员必须向管理员提供对此委托权限的同意.如果我们希望用户提供他/她自己的同意(如果委托的许可需要用户同意)，那么在继续进行资源所有者密码授予流程之前，我们将不得不以某种方式提供用户同意.

I am trying to hit a post request to https://login.microsoftonline.com/<My_Tenant_Id>/oauth2/token from my Java Code, but I am getting the error "invalid_grant: AADSTS50126: Error validating credentials due to invalid username or password". I have verified the credentials and they are correct (I am able to login to Azure portal and see my AWS APP for SSO). I even tried hitting the same request from postman, but then also same issue.

The parameters I have passed are:

"grant_type", "password"
"requested_token_type","urn:ietf:params:oauth:token-type:saml2"
"username", username
"password", password
"client_secret", clientSecret
"client_id", clientId
"resource", clientId

I have even checked various Microsoft Documentations but I am still not able to resolve the issue. Can anybody tell what might be the issue. is the API call wrong or the server setup is wrong.

Please note: Initially my API call was working, but then I got an error invalid_request: AADSTS80014 then it automatically got resolved and I started getting invalid_grant: AADSTS50126. Has anybody faced this issue or knows how to fix this. Thanks!

解决方案

I am able to resolve this by creating a cloud only user. The reason a federated user fails with the Resource Owner Password Grant flow is because for a federated user Azure AD has to redirect the user to the specific federation Server that belongs to the user's on-prem domain so that the ADFS server can get the auth down with the local domain controller. In Resource Owner Password grant flow this redirect is not possible hence it is not able to validate the username and password and hence that error.

As a suggestion, we can create a new cloud only user whose username and password should reside in Azure AD, so that when using Resource Owner password Grant flow we submit the user's credentials, AAD can authenticate the user without any redirections.

This user can be a normal user in AAD and the respective delegated permissions should be present in the app registration. Now one more thing to make sure is, if the delegated permission that we are providing needs admin consent then before the user logs in to the application, the admin has to provide the admin consent to this delegated permission. If we want to the user to provide his/her own consent (if the delegated permission needs user consent) then we would have to somehow provide the user consent before going ahead with the Resource Owner Password Grant Flow.

这篇关于invalid_grant:AADSTS50126:由于无效的用户名或密码，导致验证凭据出错的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！