使用电子邮件地址和应用程序密码从 oauth2/token
时间:2023-05-08问题描述
We are using compulsory two factor authentication for our email addresses under our Active Directory.
I have an app that requires a service account, so we created app password for that service account. We acquire access token using following end point -
https://login.windows.net/{tenant_id}/oauth2/token
It works perfectly fine for credentials without two factor authentication and normal password but not for accounts with two factor auth and app password
If we enter app password it returns this error -
AADSTS70002: Error validating credentials. AADSTS50126: Invalid username or password
How can I get it working?
It looks like you are trying to use the Resource Owner Password Credentials Grant, which is in general not recommended (it doesn't support MFA among other things) Instead of using that flow, see if the client credential flow (where you can use an application ID + secret or certificate) fits your needs
In the case of CRM Online, it does support the concept of "application user". You declare the application in AAD with a secret or a certificate. Then you go to CRM Online and add that "application user" with a custom security role.
Then you can use code like this to access CRM web services.
add-type -path "Microsoft.IdentityModel.Clients.ActiveDirectory.dll"
add-type -path "Microsoft.Xrm.Sdk.dll"
$resourceAppIdURI = "https://ORG.crm2.dynamics.com"
$authority = "https://login.windows.net/TENANT.onmicrosoft.com"
$credential=New-Object Microsoft.IdentityModel.Clients.ActiveDirectory.ClientCredential("b1d83e4e-bc77-4919-8791-5408746265c1","<SECRET>")
$authContext = New-Object "Microsoft.IdentityModel.Clients.ActiveDirectory.AuthenticationContext" -ArgumentList $authority,$false
$authResult = $authContext.AcquireToken($resourceAppIdURI, $credential)
$sdkService=new-object Microsoft.Xrm.Sdk.WebServiceClient.OrganizationWebProxyClient("https://ORG.crm2.dynamics.com/xrmservices/2011/organization.svc/web?SdkClientVersion=8.2",$false)
$sdkService.HeaderToken=$authResult.accesstoken
$OrganizationRequest=new-object Microsoft.Xrm.Sdk.OrganizationRequest
$OrganizationRequest.RequestName="WhoAmI"
$sdkService.Execute($OrganizationRequest)
这篇关于使用电子邮件地址和应用程序密码从 oauth2/token 获取访问令牌的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持html5模板网!
相关文章
ASP.NET Core 使用 Azure Active Directory 进行身份验证并ASP.NET Core authenticating with Azure Active Directory and persisting custom Claims across requests(ASP.NET Core 使用 Azure Active Directory 进行身- ASP.NET Core 2.0 Web API Azure Ad v2 令牌授权不起作用ASP.NET Core 2.0 Web API Azure Ad v2 Token Authorization not working(ASP.NET Core 2.0 Web API Azure Ad v2 令牌授权不起作用)
- 如何获取守护进程或服务器到 C# ASP.NET Web API 的How do I get Azure AD OAuth2 Access Token and Refresh token for Daemon or Server to C# ASP.NET Web API(如何获取守护进程或服务器到 C# ASP.N
- 异步调用时 Azure KeyVault Active Directory AcquireTokenAAzure KeyVault Active Directory AcquireTokenAsync timeout when called asynchronously(异步调用时 Azure KeyVault Active Directory AcquireTokenAsync 超
- 新的 Azure AD 应用程序在通过管理门户更新之前无New Azure AD application doesn#39;t work until updated through management portal(新的 Azure AD 应用程序在通过管理门户更新之前无法运行
- 向 AspNetCore Azure Authenticated Application 添加自定义声Adding Custom Claims to AspNetCore Azure Authenticated Application(向 AspNetCore Azure Authenticated Application 添加自定义声明)
最新文章
- 向 AspNetCore Azure Authenticated Application 添加自定义声
- 获取“BotAuthenticator 无法验证传入请求!"在示
- 我可以通过 Microsoft LiveID 帐户“安静地"登录
- 如何从MobileServiceUser获取用户名、邮箱等?
- 使用 Azure AD Graph 客户端 API 更改用户密码的权限
- .net 核心 [授权] 将 ClaimsIdentity 与 AAD 组一起使用
- ASP.NET 网页按请求在 Azure AD 中进行身份验证
- 通过 Azure Functions 在 Azure AD 中验证用户(验证用户
- 使用图形 api 以编程方式在 azure 活动目录中注册
- 等待杀死进程