I'm using the Microsoft Graph login endpoint: login.microsoftonline.com/[tenantId]/oauth2/token with a grant type of "password" to log users in:
{
"grant_type": "password",
"client_id": "xxx",
"client_secret": "xxx",
"scope": "openid",
"resource": "https://graph.microsoft.com",
"username": "username",
"password": "********",
}
When I post this with users that are not enrolled in multi-factor authentication on our AD I get back the expected results including an access_token and refresh_token
However on users that are enrolled I get back a HttpStatusCode.BadRequest with an error of "interaction_required"
According to documentation from Microsoft found here:
In this case, your app receives a 400 with an interaction_required
error during access token acquisition or a 403 with
insufficient_claims error when calling Microsoft Graph. In both cases,
the error response contains additional information that can be
presented to the authorize endpoint to challenge the user for
additional information (like multi-factor authentication or device
enrollment).
However I do not see any additional information in the results and can't find much information on next steps. The JSON I get back looks like this:
{
"error":"interaction_required",
"error_description":"AADSTS50079: Due to a configuration change made by your administrator, or because you moved to a new location, you must enroll in multi-factor authentication to access '00000003-0000-0000-c000-000000000000'.\r\nTrace ID: aee10c85-fd12-42ec-be6c-76d546500100\r\nCorrelation ID: 0ee3ebac-f702-4fbc-be76-fd6a291ad488\r\nTimestamp: 2021-09-09 17:45:24Z",
"error_codes":[50079],"timestamp":"2021-09-09 17:45:24Z",
"trace_id":"aee10c85-fd12-42ec-be6c-76d546500100",
"correlation_id":"0ee3ebac-f702-4fbc-be76-fd6a291ad488",
"error_uri":"https://login.microsoftonline.com/error?code=50079",
"suberror":"basic_action"
}
But I am getting back "interaction_required" and confirmed with our AD administrator that they are definitely enrolled. So I am at a bit of a loss for next steps to resolve this.
Cause :User is attempting a authentication method that requires Multi-factor authentication
Try to catch the error you get, and perform a new request according to steps for your flow scenarios by referring from this MS docs
Microsoft Graph has special considerations when building apps in
Conditional Access environments. Since Conditional Access policies are
assigned the specific datasets, Azure AD will enforce Conditional
Access policies based on the data behind Graph - rather than Graph
itself.
(or check below points)
Conditional access policies prevent non-interactive flows to work.
Possible solutions...
Use a interactive flow instead.
If you are using a interactive flow and still getting this error, please make sure openid is one of the scopes during the interactive sign-in. You might be getting the error after the interactive sign-in and trying to exchange the authorization code for a access token...
Example:
https://login.microsoftonline.com/contoso.onmicrosoft.com/oauth2/authorize?client_id=#...#
&response_type=code
&scope=openid groups.read.all
&nonce=1234
&redirect_uri=https://app.contoso.com
Notice "scope=openid groups.read.all" in the request above
Add the client application to the exception list of the Conditional Access Policy
Add the user to the exception list of the Conditional Access Policy
If you are not using conditional access policies and the user is directly enabled for MFA, then as a last thing, disable MFA for the user if solutions above do not work for you.
Or you can use certificate based authentication instead of MFA
References:
login-to-azure-web-application-fails-with-aadsts50079
SO thread
Related
A recurring job has started to fail, I've recreated the issue with Postman.
Error:
"error": "invalid_grant",
"error_description": "AADSTS50126: Error validating credentials due to invalid username or password."
"error_codes": [50126]
"error_uri": "https://login.microsoftonline.com/error?code=50126"
The Username & Password used, work with MS Graph Explorer so I'm confident that the password has not changed. I did change the grant_type=client_credentials and this works so I believe the rest of the settings are also correct. I did ramp up the frequency of the job from daily to hourly lately, but the error message indicates an authentication issue.
I'm running out of ideas to try & troubleshoot, perhaps someone knows something that I don't.
Postman settings:
These are the production settings used in MS Power Automate, the same as above.
If its an unattended process and uses the client credentials flow, then the username and password are not being used at all.
An Access token is being obtained using the clientId and the client secret alone.
It'd help if you can list the operations that you are planning to call in the question.
Note that MS Graph uses both delegated and application permissions and depending on the Api being called, you would be required to sign-in as an app of sign-in a user. Its a bit of a learning curve and I'd recommend you go through a session like this one.
Problem: Authentication error when trying to authenticate to MS Graph API with an AD account that had previously worked.
Final Hypothesise: A potential issue between cloud authentication & on-prem AD authentication.
Solution: A new AzureAD service account specifically for the purpose was created & provisioned with similar access to the original service account & all worked as normal.
Summary: The issue seems to have been the link between AzureAD & on-premAD. Hope this helps someone out in future
I'm unable to authenticate / sign-in via AzureAD when running testCafe.
const testrole = Role(
'https://login.microsoftonline.com/',
async t => {
await t
.typeText(Selector('input').withAttribute('type', 'email'), *******)
.click(Selector('#idSIButton9'))
.typeText(Selector('input').withAttribute('type', 'password'), ********)
.click(Selector('#idSIButton9'));
},
{ preserveUrl: true }
);
The above steps work fine, however after entering the password I get a message saying:
"Unable to sign in to Outlook account, Error: AADSTS900561: The endpoint only accepts POST requests. Received a GET request."
From my initial search, it seems like something to do with 3rd party cookies on the browser. However, I'm unable to find a solution at this time.
Any idea how I get around this issue?
The Azure AD product team has always reminded me that it is a bad idea to try to automate sign in like that.
They will probably detect that you are a bot and start blocking your requests, even if you succeed.
Instead, to acquire access tokens you need to use either the client credentials flow (for app-only tokens) or the resource owner password credentials flow (for delegated user tokens).
Client credentials flow: https://learn.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-client-creds-grant-flow
ROPC flow: https://learn.microsoft.com/en-us/azure/active-directory/develop/v2-oauth-ropc
You have to take good care to secure the credentials used for testing.
And use a test tenant if possible.
(DocuSign Support Center directed me here)
We use DocuSign as an integration in another application but I still cannot generate the token through external services/tools and have not been able to get a solid answer from DocuSign support and was directed to post my question here.
"error": "Invalid client_id", "error_description": "One or both of Username and Password are invalid."
We have been using this DocuSign Account/Integrator Key for over a year with no problems up until now!
This error is related to generating the "OAuth2 Token". (I have included all relevant account information at the bottom of this text box for your convenience).
This issue presented itself just after the ticket was opened about the inquiry into the advanced API plan and maybe something got shuffled unknowingly that broke the account's status for which API plan was purchased because it looks like at first glance I am prompted to buy the "basic" plan still on our live account.
(Ran this through Postman)
https://www.docusign.net/restapi/v2/oauth2/token
password: "redacted",
client_id: "redacted",
grant_type: "password",
scope: "api",
username: "redacted"
The body of the response is as follows:
"error": "invalid_client",
"error_description": "One or both of Username and Password are invalid."
These are the exact credentials used to log in to the DocuSign portal itself so the error message is extremely confusing. I tried escaping password characters, changing the password, and even went so far as to create an entirely new integrator key by making a new sandbox account to run the 20 API calls to get it promoted assuming the problem was the key. I was able to successfully generate the OAuth Token for the demo.docusign.net account with the credentials for my sandbox account (the username used for the sandbox account was an entirely new account/email setup).
DocuSign has a demo (sandbox) environment for testing as well as it's core production environment. In the demo system all the API endpoints start with the following base URI:
https://demo.docusign.net/...
However when live in production your account may reside in one of many different data centers. For example, some possible sites are:
https://www.docusign.net/
https://na2.docusign.net/
https://na3.docusign.net/
https://eu.docusign.net/
...
I see you mention you are using Postman to test production API requests using https://www.docusign.net/... as you base, have you confirmed this is the correct base URI for your user/account? It's possible the account resides in a different data center and that would make sense why you are getting an invalid credentials error as it's not the right account.
Determining the correct base_uri for a given user of your app is done during the OAuth process, you need to make the Get User Info call and parse the base_uri that is returned in the response and use THAT for subsequent API calls.
Unable to get the access token by directly passing the username and password
Endpoint : https://login.microsoftonline.com/{tenant_id}/oauth2/token
grant_type: password
client_id: APPLICATION_ID
resource: https://graph.microsoft.com/.default
username: <username#microsoft.com>
password: <password>
Scope : openid
App is created in https://apps.dev.microsoft.com/
Getting Invalid grant error:
{
"error": "invalid_grant",
"error_description": "AADSTS70002: Error validating credentials. AADSTS50126: Invalid username or password\r\nTrace ID: 1ff96bc3-29c8-48f1-b7cc-f77c01525500\r\nCorrelation ID: 9821fdf5-25dc-4b07-84b3-f084194ea123\r\nTimestamp: 2018-09-14 20:04:01Z",
"error_codes": [
70002,
50126
],
"timestamp": "2018-09-14 20:04:01Z",
"trace_id": "1ff96bc3-29c8-48f1-b7cc-f77c01525500",
"correlation_id": "9821fdf5-25dc-4b07-84b3-f084194ea123"
}
UPDATE
Looks like there are more than one issues in play here.
You were using Azure AD token endpoint but had registered your application with Azure AD B2C by mistake (so case 2 as per my original answer).
Now after correcting that one, you should be using clientid and client secret for this new application that is registered with Azure AD.
Make sure you have added Microsoft Graph permissions for your application in Azure AD under "required permissions" and at the end of selecting appropriate permissions, make sure you press on the "Grant Permissions" button to give consent.
Looking at the error message and code you are getting (invalid_grant and "AADSTS70002: Error validating credentials. AADSTS50126"), I tried out ROPC exactly like you from Postman with a test application of my own and I tried multiple different combinations of passing wrong inputs, but the exact error codes you see come only in scenario where either my password or the username is incorrect (as the message says :)). In all other cases, error code will be different.
So, for username - make sure you give fully qualified name e.g. rohitsaigal#mydomain.onmicrosoft.com
for password - pretty obvious.
Give it another try based on instructions above and lets see how it goes.
ORIGINAL ANSWER
App is created in https://apps.dev.microsoft.com/
This means that your application is registered with Azure AD B2C.
Where you have registered your application isn't matching with the token endpoint you are using.
Case 1 - You are looking to use Azure AD B2C
Resource Owner Password Credentials Grant is still in public preview and you will need to follow the instructions provided by Microsoft here -
Configure the resource owner password credentials flow in Azure AD B2C
The endpoint you will hit to get the token will also be different that the one you have mentioned.
https://yourtenant.b2clogin.com/<yourtenant.onmicrosoft.com>/oauth2/v2.0/token?p=B2C_1_ROPC_Auth
Case 2 - You are looking to use Azure AD B2B
In this case you are using the correct end point to get the token, but you have wrongly registered your application with Azure AD B2C, you will need to change that and register your application from Azure Portal.
Instructions and details here - Integrating applications with Azure Active Directory
Just in case you need to read up on differences between Azure AD B2B v/s B2C - look at this SO Post
Here is another useful SO Post that gives information about registering your application through Azure Portal v/s https://apps.dev.microsoft.com (New application registration portal)
It seems like you didn't Grant Permissions to your app. Make sure all of the users are added to the app and ensure that you have the correct web.config parameters.
Also, ensure that the username and password are correct for the managed domain to connect. I've gotten this error before using the incorrect user. A regular azure global admin user may not be able to authenticate. You need to make sure you are using a CSP admin user.
This works https://learn.microsoft.com/en-us/azure/active-directory-b2c/add-ropc-policy?tabs=app-reg-ga&pivots=b2c-user-flow
But keep in mind that there are limitations like:
You cannot use when a password is expired or needs to be changed.
MFA is not supported
Social logins are not supported
I got "error": {
"errors": [
{
"domain": "usageLimits",
"reason": "dailyLimitExceededUnreg",
"message": "Daily Limit for Unauthenticated Use Exceeded. Continued use requires signup.",
"extendedHelp": "https://code.google.com/apis/console"
}
],
"code": 403,
"message": "Daily Limit for Unauthenticated Use Exceeded. Continued use requires signup."
}
When i try to fetch User Profile in Google+ api by https://www.googleapis.com/plus/v1/people/me URL String.If anyone have any suggestion then please tell me as soon as possible.Thanks in advance for your time.
That message implies that you haven't set up a Google APIs console project.
Create a Google APIs Console project
On the Services pane, enable all of the APIs that your project requires.
On the API Access pane, click Create an OAuth 2.0 client ID. A dialog opens. Fill in your project's information. Click Next
Choose the appropriate application type. Based on the tags you used for this post, I am guessing this is an iOS project so select Installed application.
Enter your bundle ID. You don't need to enter an App Store ID until your app is listed there.
Click Create Client ID.
You will see the client ID and client secret values. You will use these values to enable communication with your project and the Google APIs.
If you aren't already using it, see the Google+ iOS SDK and documentation for a full walk through. The task called "write moments" is similar in implementation and demonstrates how to connect to and use the Google+ REST APIs from within an iOS project that uses the SDK.
You'll need to specify the scope of plus.me to get the profile information.
I got the same error and after much hunting I found that, in my case, the Authorization header with the access token was not set. Set Authorization: "Bearer <YOUR_ACCESS_TOKEN>" in the header of the request of EVERY Google API call.
I just want to add a little information here in the rare case that someone runs into this problem.
I have an organization (ORG). I created a second channel (SC) with some playlists, that referenced videos from ORG.
I made the mistake of assuming that because ORG owned SC, that I could use the same oauth credentials from ORG to access both. I was wrong.
I switched credentials and was confused when I could access the playlists but not the videos. Again, I needed credentials for each one separately to access the resources on the respective channel.
Lame, but that was how it was.
BrettJ's answer will cover most of the bases. However, you will also get this error - even when your credentials are properly authenticated - when the scope is not properly set up. I would check the scope setting in your OAuth dance. Make sure your user is permitted to do the thing your code is trying to help them do.
On top of what BrettJ has mentioned, it is important to send the authorization header for the request done to fetch UserProfile in google+ API.
For example, Add the following header
key: Authorization
value: Bearer ya29.Ci-cA_CywoVdVG#######
For what it's worth, I also got this error when using rclone to sync files and my firewall wasn't configured to allow that traffic.