How to generate access_token for grant_type password in Azure AD for MS graph api

1
votes

How to generate access_token for grant_type password in Azure AD for MS graph api

I have use followed these two links to generate access_token password grant_type

  1. https://dzone.com/articles/getting-access-token-for-microsoft-graph-using-oau-2?preview=true
  2. https://docs.microsoft.com/en-us/azure/active-directory-b2c/configure-ropc?tabs=app-reg-ga

used below curl request

curl --location --request POST 'https://login.microsoftonline.com/910f-90d18b56a170/oauth2/token' --header 'Content-Type: application/x-www-form-urlencoded' --data-urlencode 'client_id=4b5d-bde6-0b1a09b84a5f' --data-urlencode 'client_secret=q4720z4z_6N8CU-c7qEwx2a' --data-urlencode 'grant_type=password' --data-urlencode '[email protected]' --data-urlencode 'password=xxxxxxx' --data-urlencode 'resource=https://graph.microsoft.com' --data-urlencode 'scope=openid'

Below is the response

{
    "error": "invalid_grant",
    "error_description": "AADSTS50126: Error validating credentials due to invalid username or password.\r\nTrace ID: 21fdd138-0bc6-49bd-8852-c7a6a3a1e600\r\nCorrelation ID: a1010714-38f6-4926-a135-568adcdada26\r\nTimestamp: 2020-12-15 16:44:37Z",
    "error_codes": [
        50126
    ],
    "timestamp": "2020-12-15 16:44:37Z",
    "trace_id": "21fdd138-0bc6-49bd-8852-c7a6a3a1e600",
    "correlation_id": "a1010714-38f6-4926-a135-568adcdada26",
    "error_uri": "https://login.microsoftonline.com/error?code=50126"
}

I don't know why response suggests that my credentials are in-valid even-though i'm passing right creds.

Could somebody help over here.

Thanks & regards

2
azureazure-active-directorymicrosoft-graph-api
This is the most recent doc from MS : docs.microsoft.com/en-us/azure/active-directory/develop/…Mauricio Atanache
curl -X POST -d "client_id=clientid&scope=user.read&grant_type=password&username=sruthi@xxx &password=Srxxxx&redirect_url=https://graph.microsoft.com " https://login.microsoftonline.com/tenantid/oauth2/v2.0/token can you please try this one and also error is due to invalid credentialsSruthi J

2 Answers

1
votes

Facing the same issue when I run the below query with wrong credentials enter image description here

After providing the right credentials to below curl operations able to get token

  curl -X POST -d "client_id=clientid&scope=user.read&grant_type=password&username=username &password=password&resource=https://graph.microsoft.com " https://login.microsoftonline.com/tenantid/oauth2/token

enter image description here

enter image description here

Note :Microsoft recommends you do not use the ROPC flow. In most scenarios, more secure alternatives are available and recommended. This flow requires a very high degree of trust in the application, and carries risks which are not present in other flows. You should only use this flow when other more secure flows can't be used.

0
votes

Yes i was able to resolve this error with below curl request. Also had to use utf character code for special symbols in my password from this link "https://www.utf8-chartable.de/" while running the command from linux terminal, though it wasn't required for getting token via Postman

curl -X POST -d "client_id=3621485b0bf-6384-4b5d-bde6-0b1a09b84a5f&client_secret=145236op-54782314l-c7qEwx2a-U_T_-7-43n&scope=user.read&grant_type=password&[email protected]&password=Prince%244321&resource=https://graph.microsoft.com" https://login.microsoftonline.com/7452369-45217-4208-910f-90d18b56a170/oauth2/token

 # below is the Response
{
    "token_type": "Bearer",
    "scope": "ChannelMessage.Send Group.Read.All Group.ReadWrite.All Mail.Read offline_access openid profile User.Read",
    "expires_in": "3599",
    "ext_expires_in": "3599",
    "expires_on": "1608079489",
    "not_before": "1608075589",
    "resource": "https://graph.microsoft.com",
    "access_token": "eyJ0eXAiOiJKV1QiLCJub25jZSI6Ijl3NVBGbUpfQ1NsNjhhVHJ6dFJjVXZ0c1NaWm5nckFLS3JoQmFSbY2ZTgtNDUzMC04NzhhLTg4MjBmNDJlZjQ3NiIsInBsYXRmIjoiMTQiLCJwdWlkIjoiMTAwMzIwMDEwM0M4MkJDNSIsInJoIjoiMC5BQUFBSWZocjZPcldFRVdQLTN4b2JHUlg4aHBadjJQSDRmVkpoNlBMc2RFSGF6dFRBRG8uIiwic2NwIjoiQ2hhbm5lbE1lc3NhZ2UuU2VuZCBHcm91cC5SZWFkLkFsbCBHcm91cC5SZWFkV3Jp-OlzPDtk0GTG9o5AGLcTVv6VEVOFWF2TEylgdXnTX5A4Iue7Le8OcUtFa33of_11uvZuhEcxTzY_ANEz-R5TFhZJlxeeyw",
    "refresh_token": "0.AAAAIfhr6OrWEEWP-3xobGRX8hpZv2PH4fVJh6PLsdEHaztTADo.GSfVElYY1X0hIwKK3JBkMHTamjwx9uEDeV9U8nPbEBe7w64JdaexMVJMyBeNFZOOrAda7wDGCUJq_1gv9J0k3X3QYsJafyOeuDtDckks9tLzHbD4ZJWAxN0Dnw-OaO4Tq95sa7-wozkCwC5ZWfTdeDjp6qb92SEKtQSl8YUCe340f1y_DuL6C2yMQARfgSPCTuuVz2TqMm8MjM46m4_WSz7ATK_UfzcHyywsBVYpxfgOzAA2eShbCqjMZbvab0moyvmo",
    "id_token": "eyJ0eXAiOiJKV1QiLCJhbGciOiJub25lIn0.eyJhdWQiOiI2M2JmNTkxYS1lMWM3LTQ5ZjUtODdhMy1jYmIxZDEwNzZiM2IiLCJpc3MiOiJodHRwczovLuMCJ9."
}

To achieve my desired results, i had to create a new user in Azure-AD and use those creds.

For someodd reason my creds for admin/main user for Azure-Portal were throwing this error "Error validating credentials due to invalid username or password" eventhough that user exists in users list.