Access_denied resource owner password credentials flow in Azure AD B2C

0
votes

I followed this article below, but I got the error below from Test the user flow section:

https://docs.microsoft.com/en-gb/azure/active-directory-b2c/configure-ropc

HTTP/1.1 400 Bad Request
Cache-Control: private
Content-Type: application/json; charset=utf-8
Server: Microsoft-IIS/10.0
x-ms-gateway-requestid: fd437d7a-fd0e-42bf-adcf-0969f5dcf74d
X-Frame-Options: DENY
Strict-Transport-Security: max-age=31536000; includeSubDomains
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
Set-Cookie: x-ms-cpim-trans=; domain=mytenant.b2clogin.com; expires=Tue, 29-Jan-2019 13:35:09 GMT; path=/; secure; HttpOnly
Date: Wed, 30 Jan 2019 13:35:08 GMT
Content-Length: 217

{"error":"access_denied","error_description":"AADB2C90225: The username or password provided in the request are invalid.\r\nCorrelation ID: 9b3c19e2-6084-4bcd-b7d3-aab8d2c34dd9\r\nTimestamp: 2019-01-30 13:35:09Z\r\n"}

Request sent:

POST https://mytenant.b2clogin.com/mytenant.onmicrosoft.com/oauth2/v2.0/token?p=B2C_1_ROPC_Auth HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: mytenant.b2clogin.com

username=myemail&password=password&grant_type=password&scope=openid myappId offline_access&client_id=myappId&response_type=token+id_token

I am a global admin, but I am able to create User flow, Register application etc.

I am using Fiddler to send the request, so it is not related to WebApp/WebAPI.

The user name (e.g. [email protected]) and password are correct, which is used to login azure portal to setup the sample.

Any idea?

Update

Please note the user that I use is in User role in my firm's active directory, but the user is a global admin in the active directory associated with the newly created AD B2C tenant following https://docs.microsoft.com/en-gb/azure/active-directory-b2c/tutorial-create-tenant

2
azureazure-active-directoryazure-ad-b2c
Please see update on OP.Pingpong

2 Answers

1
votes

The resource owner password credentials flow, which is described by the Configure the resource owner password credentials flow in Azure AD B2C article, is not designed to authenticate credentials for an administrator user.

It is designed to authenticate credentials for an end user who has either (a) been created as a local account using the Azure AD Graph API or (b) registered themselves using a sign-up flow.

1
votes

Basically, if you follow the documentation here. You will get this error message because the instruction in step 4 is wrong.

In your TrustFrameworkExtensions file. you should have something like this in you Local Account SignIn ClaimsProvider -> TechnicalProfiles

<TechnicalProfile Id="ResourceOwnerPasswordCredentials-OAUTH2">
    <DisplayName>Local Account SignIn</DisplayName>
    <Protocol Name="OpenIdConnect" />
    <Metadata>
        <Item Key="UserMessageIfClaimsPrincipalDoesNotExist">We can't seem to find your account</Item>
        <Item Key="UserMessageIfInvalidPassword">Your password is incorrect</Item>
        <Item Key="UserMessageIfOldPasswordUsed">Looks like you used an old password</Item>
        <Item Key="DiscoverMetadataByTokenIssuer">true</Item>
        <Item Key="ValidTokenIssuerPrefixes">https://sts.windows.net/</Item>
        <Item Key="METADATA">https://login.microsoftonline.com/{AzureADB2C-Tenant-Name}.onmicrosoft.com/.well-known/openid-configuration</Item>
        <Item Key="authorization_endpoint">https://login.microsoftonline.com/{AzureADB2C-Tenant-Name}.onmicrosoft.com/oauth2/token</Item>
        <Item Key="response_types">id_token</Item>
        <Item Key="response_mode">query</Item>
        <Item Key="scope">email openid</Item>
    </Metadata>
    <InputClaims>
        <InputClaim ClaimTypeReferenceId="logonIdentifier" PartnerClaimType="username" Required="true" DefaultValue="{OIDC:Username}"/>
        <InputClaim ClaimTypeReferenceId="password" Required="true" DefaultValue="{OIDC:Password}" />
        <InputClaim ClaimTypeReferenceId="grant_type" DefaultValue="password" />
        <InputClaim ClaimTypeReferenceId="scope" DefaultValue="openid" />
        <InputClaim ClaimTypeReferenceId="nca" PartnerClaimType="nca" DefaultValue="1" />
        <InputClaim ClaimTypeReferenceId="client_id" DefaultValue="{Proxy-Identity-Experience-Framework-ClientId}" />
        <InputClaim ClaimTypeReferenceId="resource_id" PartnerClaimType="resource" DefaultValue="{Identity-Experience-Framework-ClientId}" />
    </InputClaims>
    <OutputClaims>
        <OutputClaim ClaimTypeReferenceId="objectId" PartnerClaimType="oid" />
        <OutputClaim ClaimTypeReferenceId="userPrincipalName" PartnerClaimType="upn" />
    </OutputClaims>
    <OutputClaimsTransformations>
        <OutputClaimsTransformation ReferenceId="CreateSubjectClaimFromObjectID" />
    </OutputClaimsTransformations>
    <UseTechnicalProfileForSessionManagement ReferenceId="SM-Noop" />
</TechnicalProfile>

Note the resource_id should be IdentityExperienceFramework application (client) Id, not ProxyIdentityExperienceFramework as described in Microsoft's documentation. I had submitted a request to correct this in GitHub.