无法通过为 gmail 用户传递用户名和密码来从 Azure Active Directory 获取令牌
not able to get the token from azure active directory by pass username and password for gmail user
我正在尝试使用以下方法从 Azure 活动目录中获取访问令牌
我的 c sharp 代码如下
public async Task<string> validateADPCredential(string data)
{
data = HttpUtility.UrlDecode(data);
ADPCredential adpCredential = JsonConvert.DeserializeObject<ADPCredential>(data);
try
{
string clientId = ConfigurationManager.AppSettings["azureclient_id"];
string clientSecret = ConfigurationManager.AppSettings["azureclient_secret"];
string tenant = ConfigurationManager.AppSettings["tenantId"];
string resource = ConfigurationManager.AppSettings["resource"];
var authority = "https://login.microsoftonline.com/" + tenant;
var azureAdEndpoint = new Uri("https://login.microsoftonline.com/eshaweb.onmicrosoft.com/oauth2/v2.0/token");
var urlEncodedContent = new FormUrlEncodedContent(new[]
{
new KeyValuePair<string, string>("grant_type", "password"),
new KeyValuePair<string, string>("client_id", clientId), //using the api client id
new KeyValuePair<string, string>("username", adpCredential.Username),
new KeyValuePair<string, string>("password", adpCredential.Password),
new KeyValuePair<string, string>("client_secret", clientSecret),
new KeyValuePair<string, string>("scope", "https://graph.microsoft.com/.default"),
});
HttpClient httpClient = new HttpClient();
var result = await httpClient.PostAsync(azureAdEndpoint, urlEncodedContent);
{
var content = await result.Content.ReadAsStringAsync();
var authResult = JsonConvert.DeserializeObject<dynamic>(content);
return authResult.access_token;
}
}
catch (Exception ex)
{
}
return string.Empty;
}
这段代码工作正常,我能够为 gmail 用户(外部用户)的活动 directory.but 的内部用户获取令牌我收到以下错误。
</p>
<pre><code>{{
"error": "invalid_grant",
"error_description": "AADSTS50034: The user account {EmailHidden} does not exist in the esheb.onmicrosoft.com directory. To sign into this application, the account must be added to the directory.\r\nTrace ID: 0222e890-a19e-4694-a004-327f2312aa00\r\nCorrelation ID: 8587e63d-9cd-4257-aa6c-1ef394d03f56\r\nTimestamp: 2020-06-09 16:57:03Z",
"error_codes": [
50034
],
"timestamp": "2020-06-09 16:57:03Z",
"trace_id": "0222e90-a19e-4694-a004-327f2312aa00",
"correlation_id": "8587e63d-c6d-4257-aa6c-1ef394d03f56",
"error_uri": "https://login.microsoftonline.com/error?code=50034"
}}
如果我尝试通过以下方法获取令牌,请再次使用
https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-auth-code-flow
我能够为 Azure 活动目录的内部和外部用户获取令牌。
谁能帮我找出解决办法。
不支持gmail用户(外部用户)使用ROPC,您可以找到如下文档。
Personal accounts that are invited to an Azure AD tenant can't use
ROPC(Resource Owner Password Credentials).
参考:
Microsoft identity platform and OAuth 2.0 Resource Owner Password Credentials
我正在尝试使用以下方法从 Azure 活动目录中获取访问令牌
我的 c sharp 代码如下
public async Task<string> validateADPCredential(string data)
{
data = HttpUtility.UrlDecode(data);
ADPCredential adpCredential = JsonConvert.DeserializeObject<ADPCredential>(data);
try
{
string clientId = ConfigurationManager.AppSettings["azureclient_id"];
string clientSecret = ConfigurationManager.AppSettings["azureclient_secret"];
string tenant = ConfigurationManager.AppSettings["tenantId"];
string resource = ConfigurationManager.AppSettings["resource"];
var authority = "https://login.microsoftonline.com/" + tenant;
var azureAdEndpoint = new Uri("https://login.microsoftonline.com/eshaweb.onmicrosoft.com/oauth2/v2.0/token");
var urlEncodedContent = new FormUrlEncodedContent(new[]
{
new KeyValuePair<string, string>("grant_type", "password"),
new KeyValuePair<string, string>("client_id", clientId), //using the api client id
new KeyValuePair<string, string>("username", adpCredential.Username),
new KeyValuePair<string, string>("password", adpCredential.Password),
new KeyValuePair<string, string>("client_secret", clientSecret),
new KeyValuePair<string, string>("scope", "https://graph.microsoft.com/.default"),
});
HttpClient httpClient = new HttpClient();
var result = await httpClient.PostAsync(azureAdEndpoint, urlEncodedContent);
{
var content = await result.Content.ReadAsStringAsync();
var authResult = JsonConvert.DeserializeObject<dynamic>(content);
return authResult.access_token;
}
}
catch (Exception ex)
{
}
return string.Empty;
}
这段代码工作正常,我能够为 gmail 用户(外部用户)的活动 directory.but 的内部用户获取令牌我收到以下错误。
</p>
<pre><code>{{
"error": "invalid_grant", "error_description": "AADSTS50034: The user account {EmailHidden} does not exist in the esheb.onmicrosoft.com directory. To sign into this application, the account must be added to the directory.\r\nTrace ID: 0222e890-a19e-4694-a004-327f2312aa00\r\nCorrelation ID: 8587e63d-9cd-4257-aa6c-1ef394d03f56\r\nTimestamp: 2020-06-09 16:57:03Z", "error_codes": [ 50034 ], "timestamp": "2020-06-09 16:57:03Z", "trace_id": "0222e90-a19e-4694-a004-327f2312aa00", "correlation_id": "8587e63d-c6d-4257-aa6c-1ef394d03f56", "error_uri": "https://login.microsoftonline.com/error?code=50034" }}
如果我尝试通过以下方法获取令牌,请再次使用
https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-auth-code-flow
我能够为 Azure 活动目录的内部和外部用户获取令牌。
谁能帮我找出解决办法。
不支持gmail用户(外部用户)使用ROPC,您可以找到如下文档。
Personal accounts that are invited to an Azure AD tenant can't use ROPC(Resource Owner Password Credentials).
参考:
Microsoft identity platform and OAuth 2.0 Resource Owner Password Credentials