invalid_grant:AADSTS50126:由于用户名或密码无效，验证凭据时出错 [英] invalid_grant: AADSTS50126: Error validating credentials due to invalid username or password

问题描述

我正在尝试从我的 Java 代码中向 https://login.microsoftonline.com/<My_Tenant_Id>/oauth2/token 发送发布请求，但我收到了错误 invalid_grant:AADSTS50126:由于用户名或密码无效，验证凭据时出错".我已经验证了凭据并且它们是正确的(我能够登录到 Azure 门户并查看我的 AWS APP for SSO).我什至尝试从邮递员那里提出相同的要求，但也遇到了同样的问题.

I am trying to hit a post request to https://login.microsoftonline.com/<My_Tenant_Id>/oauth2/token from my Java Code, but I am getting the error "invalid_grant: AADSTS50126: Error validating credentials due to invalid username or password". I have verified the credentials and they are correct (I am able to login to Azure portal and see my AWS APP for SSO). I even tried hitting the same request from postman, but then also same issue.

我传递的参数是:

"grant_type", "password"
"requested_token_type","urn:ietf:params:oauth:token-type:saml2"
"username", username
"password", password
"client_secret", clientSecret
"client_id", clientId
"resource", clientId

我什至检查了各种 Microsoft 文档，但仍然无法解决问题.任何人都可以告诉可能是什么问题.是 API 调用错误还是服务器设置错误.

I have even checked various Microsoft Documentations but I am still not able to resolve the issue. Can anybody tell what might be the issue. is the API call wrong or the server setup is wrong.

请注意:最初我的 API 调用正常，但后来我收到一个错误 invalid_request: AADSTS80014 然后它自动得到解决，我开始收到 invalid_grant: AADSTS50126.有没有人遇到过这个问题或知道如何解决这个问题.谢谢！

Please note: Initially my API call was working, but then I got an error invalid_request: AADSTS80014 then it automatically got resolved and I started getting invalid_grant: AADSTS50126. Has anybody faced this issue or knows how to fix this. Thanks!

推荐答案

我可以通过创建一个仅限云的用户来解决这个问题.联合用户使用资源所有者密码授予流程失败的原因是，对于联合用户，Azure AD 必须将用户重定向到属于用户的本地域的特定联合服务器，以便 ADFS 服务器可以关闭身份验证与本地域控制器.在资源所有者密码授权流程中，此重定向是不可能的，因此它无法验证用户名和密码，从而导致该错误.

I am able to resolve this by creating a cloud only user. The reason a federated user fails with the Resource Owner Password Grant flow is because for a federated user Azure AD has to redirect the user to the specific federation Server that belongs to the user's on-prem domain so that the ADFS server can get the auth down with the local domain controller. In Resource Owner Password grant flow this redirect is not possible hence it is not able to validate the username and password and hence that error.

作为建议，我们可以创建一个新的仅云用户，其用户名和密码应驻留在 Azure AD 中，以便在使用资源所有者密码授予流程时，我们提交用户的凭据，AAD 无需任何重定向即可对用户进行身份验证.

As a suggestion, we can create a new cloud only user whose username and password should reside in Azure AD, so that when using Resource Owner password Grant flow we submit the user's credentials, AAD can authenticate the user without any redirections.

此用户可以是 AAD 中的普通用户，并且相应的委派权限应存在于应用注册中.现在要确保的另一件事是，如果我们提供的委派权限需要管理员同意，那么在用户登录应用程序之前，管理员必须向此委派权限提供管理员同意.如果我们希望用户提供他/她自己的同意(如果委派的权限需要用户同意)，那么我们必须在继续资源所有者密码授予流程之前以某种方式提供用户同意.

This user can be a normal user in AAD and the respective delegated permissions should be present in the app registration. Now one more thing to make sure is, if the delegated permission that we are providing needs admin consent then before the user logs in to the application, the admin has to provide the admin consent to this delegated permission. If we want to the user to provide his/her own consent (if the delegated permission needs user consent) then we would have to somehow provide the user consent before going ahead with the Resource Owner Password Grant Flow.

这篇关于invalid_grant:AADSTS50126:由于用户名或密码无效，验证凭据时出错的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！