問題描述
我正在嘗試從我的 Java 代碼中向 https://login.microsoftonline.com/<My_Tenant_Id>/oauth2/token 發送發布請求,但我收到了錯誤 invalid_grant:AADSTS50126:由于用戶名或密碼無效,驗證憑據時出錯".我已經驗證了憑據并且它們是正確的(我能夠登錄到 Azure 門戶并查看我的 AWS APP for SSO).我什至嘗試從郵遞員那里提出相同的要求,但也遇到了同樣的問題.
I am trying to hit a post request to https://login.microsoftonline.com/<My_Tenant_Id>/oauth2/token from my Java Code, but I am getting the error "invalid_grant: AADSTS50126: Error validating credentials due to invalid username or password". I have verified the credentials and they are correct (I am able to login to Azure portal and see my AWS APP for SSO). I even tried hitting the same request from postman, but then also same issue.
我傳遞的參數是:
"grant_type", "password"
"requested_token_type","urn:ietf:params:oauth:token-type:saml2"
"username", username
"password", password
"client_secret", clientSecret
"client_id", clientId
"resource", clientId
我什至檢查了各種 Microsoft 文檔,但仍然無法解決問題.任何人都可以告訴可能是什么問題.是 API 調用錯誤還是服務器設置錯誤.
I have even checked various Microsoft Documentations but I am still not able to resolve the issue. Can anybody tell what might be the issue. is the API call wrong or the server setup is wrong.
請注意:最初我的 API 調用正常,但后來我收到一個錯誤 invalid_request: AADSTS80014 然后它自動得到解決,我開始收到 invalid_grant: AADSTS50126.有沒有人遇到過這個問題或知道如何解決這個問題.謝謝!
Please note: Initially my API call was working, but then I got an error invalid_request: AADSTS80014 then it automatically got resolved and I started getting invalid_grant: AADSTS50126. Has anybody faced this issue or knows how to fix this. Thanks!
推薦答案
我可以通過創建一個僅限云的用戶來解決這個問題.聯合用戶使用資源所有者密碼授予流程失敗的原因是,對于聯合用戶,Azure AD 必須將用戶重定向到屬于用戶的本地域的特定聯合服務器,以便 ADFS 服務器可以關閉身份驗證與本地域控制器.在資源所有者密碼授權流程中,此重定向是不可能的,因此它無法驗證用戶名和密碼,從而導致該錯誤.
I am able to resolve this by creating a cloud only user. The reason a federated user fails with the Resource Owner Password Grant flow is because for a federated user Azure AD has to redirect the user to the specific federation Server that belongs to the user's on-prem domain so that the ADFS server can get the auth down with the local domain controller. In Resource Owner Password grant flow this redirect is not possible hence it is not able to validate the username and password and hence that error.
作為建議,我們可以創建一個新的僅云用戶,其用戶名和密碼應駐留在 Azure AD 中,以便在使用資源所有者密碼授予流程時,我們提交用戶的憑據,AAD 無需任何重定向即可對用戶進行身份驗證.
As a suggestion, we can create a new cloud only user whose username and password should reside in Azure AD, so that when using Resource Owner password Grant flow we submit the user's credentials, AAD can authenticate the user without any redirections.
此用戶可以是 AAD 中的普通用戶,并且相應的委派權限應存在于應用注冊中.現在要確保的另一件事是,如果我們提供的委派權限需要管理員同意,那么在用戶登錄應用程序之前,管理員必須向此委派權限提供管理員同意.如果我們希望用戶提供他/她自己的同意(如果委派的權限需要用戶同意),那么我們必須在繼續資源所有者密碼授予流程之前以某種方式提供用戶同意.
This user can be a normal user in AAD and the respective delegated permissions should be present in the app registration. Now one more thing to make sure is, if the delegated permission that we are providing needs admin consent then before the user logs in to the application, the admin has to provide the admin consent to this delegated permission. If we want to the user to provide his/her own consent (if the delegated permission needs user consent) then we would have to somehow provide the user consent before going ahead with the Resource Owner Password Grant Flow.
這篇關于invalid_grant:AADSTS50126:由于用戶名或密碼無效,驗證憑據時出錯的文章就介紹到這了,希望我們推薦的答案對大家有所幫助,也希望大家多多支持html5模板網!