Issue when implementing “Resource Owner Password Credentials Grant”

0
votes

I try to implement "Resource Owner Password Credentials Grant" on an Azure AD scenario.

I have a web api (DemoWebApi) and a console (DemoConsole) declared as native application. I was able to make "Authorization Code Grant" and "Client Credentials Grant" working, but I encounter some issue with "Resource Owner Password Credentials Grant".

First I read this: http://www.cloudidentity.com/blog/2014/07/08/using-adal-net-to-authenticate-users-via-usernamepassword/

and more especially the NO MSA section.

So I created a user in my Azure AD tenant, now I get this error message:

The user or administrator has not consented to use the application with ID 'bd274da6-80f2-458a-b74b-...'. Send an interactive authorization request for this user and resource.

I can't figure out what I should do

This is my source code:

string authority = "https://login.microsoftonline.com/7dda5ce2-2fb6-4f82-bc27-..."; 

AuthenticationContext authenticationContext = new AuthenticationContext(authority, false);
UserPasswordCredential credentials = new UserPasswordCredential(login, password);
AuthenticationResult res = await authenticationContext.AcquireTokenAsync(webApiClientId, consoleClientId, credentials);
2
c#oauthoauth-2.0azure-active-directoryadal

2 Answers

0
votes

You need to provide more information to help us reproduce the issue , for example , how do you register the app ,using azure portal ,powershell or visual studio.What is the user type of the new added user and how do you add that user .

Users do not have any opportunity of providing consent if username & password are passed directly. To fix that issue, you could try to grant permissions for that api in portal(better login with administrator account) :

enter image description here

1
votes

If you are using it for example as LoginController action in order to provide your customize login screen, it is worth to read one scenario which I encounter when I was working on it.

Resource Owner Password Credential flow token issued even for Incorrect Password

After one successful token allocation for correct password.

There is possibility that you need to call login controller to get access token in order to authenticate users. Now when for the first time you acquired access token by AuthenticationContext (by providing all the required information such as client id, resource id, tenant, credentials) and you again want to get access token but this time user provides a wrong password but correct client id , the Azure AD still provides the access token for the object. Wola !!!! I have experienced this issue and I have produced this scenario 5-10 times to ensure this is actually happening.

If you are having the similar requirements, to resolve this possible issue you need to clear token cache of the authentication context object right after getting the AuthenticationResult from AcquireTokenAsync method.

authenticationContext.TokenCache.Clear();

and that's it :).

I guess this has never been documented and I am sure this will be helpful for anybody who is working on such requirement to design custom login page using resource owner credential flow. Although Azure strictly recommend to use other authentication flows which it provides.