无法通过Gmail用户的用户名和密码从Azure活动目录中获取令牌 [英] not able to get the token from azure active directory by pass username and password for gmail user

问题描述

我正在尝试以下方法从azure活动目录获取访问令牌

我在c夏普中的代码如下

 公共异步任务< string>validateADPCredential(字符串数据){数据= HttpUtility.UrlDecode(数据);ADPCredential adpCredential = JsonConvert.DeserializeObject< ADPCredential>(数据);尝试{字符串clientId = ConfigurationManager.AppSettings ["azureclient_id"];字符串clientSecret = ConfigurationManager.AppSettings ["azureclient_secret"];字符串tenant = ConfigurationManager.AppSettings ["tenantId"];字符串资源= ConfigurationManager.AppSettings ["resource"];var Authority ="https://login.microsoftonline.com/" +租户；var azureAdEndpoint =新的Uri("https://login.microsoftonline.com/eshaweb.onmicrosoft.com/oauth2/v2.0/token");var urlEncodedContent = new FormUrlEncodedContent(new []{新的KeyValuePair< string，string>("grant_type"，"password")，new KeyValuePair< string，string>("client_id"，clientId)，//使用api客户端ID新的KeyValuePair< string，string>(用户名"，adpCredential.Username)，新的KeyValuePair< string，string>("password"，adpCredential.Password)，新的KeyValuePair< string，string>("client_secret"，clientSecret)，新的KeyValuePair< string，string>("scope"，"https://graph.microsoft.com/.default")，});HttpClient httpClient =新的HttpClient();var result = await httpClient.PostAsync(azureAdEndpoint，urlEncodedContent);{var content =等待结果.Content.ReadAsStringAsync();var authResult = JsonConvert.DeserializeObject< dynamic>(内容);返回authResult.access_token;}}抓住(前例外){}返回string.Empty;} 

此代码工作正常，我能够为活动目录的内部用户获取令牌.但是对于gmail用户(外部用户)，我会遇到以下错误.

  {{ 

错误":"invalid_grant"，"error_description":"AADSTS50034:esheb.onmicrosoft.com目录中不存在用户帐户{EmailHidden}.要登录此应用程序，必须将该帐户添加到目录中.\ r \ nTrace ID:0222e890-a19e-4694-a004-327f2312aa00 \ r \ n关联ID:8587e63d-9cd-4257-aa6c-1ef394d03f56 \ r \ n时间戳:2020-06-09 16:57:03Z，错误代码":[50034]，"timestamp":"2020-06-09 16:57:03Z"，"trace_id":"0222e90-a19e-4694-a004-327f2312aa00"，"correlation_id":"8587e63d-c6d-4257-aa6c-1ef394d03f56"，"error_uri":"

参考:

Microsoft身份平台和OAuth 2.0资源所有者密码凭证

i am trying the following method to get the access token from azure active directory

my code in c sharp is as below

   public async Task<string> validateADPCredential(string data)
    {
        data = HttpUtility.UrlDecode(data);
        ADPCredential adpCredential = JsonConvert.DeserializeObject<ADPCredential>(data);

        try
        {
            string clientId = ConfigurationManager.AppSettings["azureclient_id"];
            string clientSecret = ConfigurationManager.AppSettings["azureclient_secret"];
            string tenant = ConfigurationManager.AppSettings["tenantId"];
            string resource = ConfigurationManager.AppSettings["resource"];

            var authority = "https://login.microsoftonline.com/" + tenant;


            var azureAdEndpoint = new Uri("https://login.microsoftonline.com/eshaweb.onmicrosoft.com/oauth2/v2.0/token");
            var urlEncodedContent = new FormUrlEncodedContent(new[]
            {
               new KeyValuePair<string, string>("grant_type", "password"),


               new KeyValuePair<string, string>("client_id", clientId), //using the api client id
               new KeyValuePair<string, string>("username", adpCredential.Username),
               new KeyValuePair<string, string>("password", adpCredential.Password),
               new KeyValuePair<string, string>("client_secret", clientSecret),
               new KeyValuePair<string, string>("scope", "https://graph.microsoft.com/.default"),

        });

            HttpClient httpClient = new HttpClient();
            var result = await httpClient.PostAsync(azureAdEndpoint, urlEncodedContent);
            {
                var content = await result.Content.ReadAsStringAsync();
                var authResult = JsonConvert.DeserializeObject<dynamic>(content);
                return authResult.access_token;
            }
        }
        catch (Exception ex)
        {

        }
        return string.Empty;

    }

this code is working fine and i able to get the token for for internal user of active directory.but for gmail user(external user) i am getting the following error.

{{

"error": "invalid_grant", "error_description": "AADSTS50034: The user account {EmailHidden} does not exist in the esheb.onmicrosoft.com directory. To sign into this application, the account must be added to the directory.\r\nTrace ID: 0222e890-a19e-4694-a004-327f2312aa00\r\nCorrelation ID: 8587e63d-9cd-4257-aa6c-1ef394d03f56\r\nTimestamp: 2020-06-09 16:57:03Z", "error_codes": [ 50034 ], "timestamp": "2020-06-09 16:57:03Z", "trace_id": "0222e90-a19e-4694-a004-327f2312aa00", "correlation_id": "8587e63d-c6d-4257-aa6c-1ef394d03f56", "error_uri": "https://login.microsoftonline.com/error?code=50034" }}

again if i tried to get the token in the following method

https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-auth-code-flow

i am able to get the token for internal and external user of the azure active directory.

can any one find out the solution for me .

解决方案

It is not supported for gmail user(external user) to use ROPC, you can find the document as below.

Personal accounts that are invited to an Azure AD tenant can't use ROPC(Resource Owner Password Credentials).

Reference:

Microsoft identity platform and OAuth 2.0 Resource Owner Password Credentials

这篇关于无法通过Gmail用户的用户名和密码从Azure活动目录中获取令牌的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！