1

Unable to get the access token by directly passing the username and password

Endpoint : https://login.microsoftonline.com/{tenant_id}/oauth2/token

grant_type: password
client_id: APPLICATION_ID
resource: https://graph.microsoft.com/.default
username: <username@microsoft.com>
password: <password>
Scope : openid

App is created in https://apps.dev.microsoft.com/

Getting Invalid grant error: 

{
"error": "invalid_grant",
"error_description": "AADSTS70002: Error validating credentials. AADSTS50126: Invalid username or password\r\nTrace ID: 1ff96bc3-29c8-48f1-b7cc-f77c01525500\r\nCorrelation ID: 9821fdf5-25dc-4b07-84b3-f084194ea123\r\nTimestamp: 2018-09-14 20:04:01Z",
"error_codes": [
    70002,
    50126
],
"timestamp": "2018-09-14 20:04:01Z",
"trace_id": "1ff96bc3-29c8-48f1-b7cc-f77c01525500",
"correlation_id": "9821fdf5-25dc-4b07-84b3-f084194ea123"
}

token response

Ganesh Chippada
  • 113
  • 1
  • 12

3 Answers3

1

It seems like you didn't Grant Permissions to your app. Make sure all of the users are added to the app and ensure that you have the correct web.config parameters.

Also, ensure that the username and password are correct for the managed domain to connect. I've gotten this error before using the incorrect user. A regular azure global admin user may not be able to authenticate. You need to make sure you are using a CSP admin user.

Marilee Turscak - MSFT
  • 7,367
  • 3
  • 18
  • 28
  • I also got the same error. I'm using the Primary domain as a username. How to make sure that I'm using CSP admin user? – Milinda Dec 31 '21 at 06:09
1

UPDATE

Looks like there are more than one issues in play here.

  1. You were using Azure AD token endpoint but had registered your application with Azure AD B2C by mistake (so case 2 as per my original answer).

  2. Now after correcting that one, you should be using clientid and client secret for this new application that is registered with Azure AD.

  3. Make sure you have added Microsoft Graph permissions for your application in Azure AD under "required permissions" and at the end of selecting appropriate permissions, make sure you press on the "Grant Permissions" button to give consent.

  4. Looking at the error message and code you are getting (invalid_grant and "AADSTS70002: Error validating credentials. AADSTS50126"), I tried out ROPC exactly like you from Postman with a test application of my own and I tried multiple different combinations of passing wrong inputs, but the exact error codes you see come only in scenario where either my password or the username is incorrect (as the message says :)). In all other cases, error code will be different.

enter image description here

So, for username - make sure you give fully qualified name e.g. rohitsaigal@mydomain.onmicrosoft.com

for password - pretty obvious.

Give it another try based on instructions above and lets see how it goes.

ORIGINAL ANSWER

App is created in https://apps.dev.microsoft.com/

This means that your application is registered with Azure AD B2C.

Where you have registered your application isn't matching with the token endpoint you are using.

Case 1 - You are looking to use Azure AD B2C

Resource Owner Password Credentials Grant is still in public preview and you will need to follow the instructions provided by Microsoft here -

Configure the resource owner password credentials flow in Azure AD B2C

The endpoint you will hit to get the token will also be different that the one you have mentioned.

https://yourtenant.b2clogin.com/<yourtenant.onmicrosoft.com>/oauth2/v2.0/token?p=B2C_1_ROPC_Auth

Case 2 - You are looking to use Azure AD B2B

In this case you are using the correct end point to get the token, but you have wrongly registered your application with Azure AD B2C, you will need to change that and register your application from Azure Portal.

Instructions and details here - Integrating applications with Azure Active Directory

Just in case you need to read up on differences between Azure AD B2B v/s B2C - look at this SO Post

Here is another useful SO Post that gives information about registering your application through Azure Portal v/s https://apps.dev.microsoft.com (New application registration portal)

Rohit Saigal
  • 9,317
  • 2
  • 20
  • 32
  • I suspected the same and created the app in Azure to see if it works. But unfortunately i get the same error. Is this grant type used for all types of users ? – Ganesh Chippada Sep 19 '18 at 20:25
  • I added the screenshot of the response while trying to generate the access token. – Ganesh Chippada Sep 19 '18 at 23:00
  • ok.. I see you're hitting the Azure AD endpoint (and NOT the B2C endpoint). So, now I take it you are working as per Case 2 in my answer and have registered your app in Azure AD? And the client ID that you are using are from the Azure AD application (NOT the application from https://apps.dev.microsoft.com)? – Rohit Saigal Sep 19 '18 at 23:03
  • ok i now changed the username to fully qualified name ganesh.chippada@xxxxx.onmicrosoft.com. It gives me a different error now. { "error": "invalid_grant", "error_description": "AADSTS50034: To sign into this application the account must be added to the xxxxx.onmicrosoft.com directory" } I can be sure the client Id is also correct. But unfortunately i cant see the app and verify the permissions as it is restricted to only admins. I can check on it and confirm the permissions. – Ganesh Chippada Sep 20 '18 at 03:18
  • Is the user that you're using not in the same Azure AD as the application? – Rohit Saigal Sep 20 '18 at 03:20
  • I am guessing its in the same Azure AD. – Ganesh Chippada Sep 20 '18 at 05:08
  • Please check with your admin, if you aren't sure, because your latest error is giving some indication. If the application is registered in the same Azure AD that has your user. Also, you don't mention it so far, but is your application registration a multi-tenant one or a single tenant? If you're not looking for users from other Azure AD's to be using your application as a major use case, then single tenant is good (and the default when you create an application) – Rohit Saigal Sep 20 '18 at 05:10
  • Ok. i checked with my admin and confirmed that the permissions are granted properly. Also the users and the apps are registered with the same Azure AD. I was asked not to use onmicrosoft.com as it is not listed in our Azure AD. So i changed that and used the one which is correct . I am now getting this error which i reported initially. "error_description": "AADSTS70002: Error validating credentials. AADSTS50126: Invalid username or password\r\nTrace ID: bdf41c12-0583-48d2-bce6-8197e4101d00\r\nCorrelation ID: b00a2faa-0f33-498b-9d76-9c03cfb0e4f0\r\nTimestamp: 2018-09-20 15:01:52Z" – Ganesh Chippada Sep 20 '18 at 15:05
  • Ok I hope you’re using fully qualified username and correct password.. because you’re back to the status code in my answer screenshot :) , if nothing else works ask them to reset your password and login once thru browser before trying to use postman. Also make sure you have latest or recent enough Postman app. – Rohit Saigal Sep 20 '18 at 15:27
0

This works https://learn.microsoft.com/en-us/azure/active-directory-b2c/add-ropc-policy?tabs=app-reg-ga&pivots=b2c-user-flow

But keep in mind that there are limitations like:

  • You cannot use when a password is expired or needs to be changed.
  • MFA is not supported
  • Social logins are not supported
Juliyanage Silva
  • 2,529
  • 1
  • 21
  • 33