使用电子邮件地址和应用程序密码从 oauth2/token 获取访问令牌

时间:2023-02-27
本文介绍了使用电子邮件地址和应用程序密码从 oauth2/token 获取访问令牌的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着跟版网的小编来一起学习吧!

问题描述

We are using compulsory two factor authentication for our email addresses under our Active Directory.

I have an app that requires a service account, so we created app password for that service account. We acquire access token using following end point -

https://login.windows.net/{tenant_id}/oauth2/token

It works perfectly fine for credentials without two factor authentication and normal password but not for accounts with two factor auth and app password

If we enter app password it returns this error -

AADSTS70002: Error validating credentials. AADSTS50126: Invalid username or password

How can I get it working?

解决方案

It looks like you are trying to use the Resource Owner Password Credentials Grant, which is in general not recommended (it doesn't support MFA among other things) Instead of using that flow, see if the client credential flow (where you can use an application ID + secret or certificate) fits your needs

In the case of CRM Online, it does support the concept of "application user". You declare the application in AAD with a secret or a certificate. Then you go to CRM Online and add that "application user" with a custom security role.

Then you can use code like this to access CRM web services.

add-type -path "Microsoft.IdentityModel.Clients.ActiveDirectory.dll"
add-type -path "Microsoft.Xrm.Sdk.dll"
$resourceAppIdURI = "https://ORG.crm2.dynamics.com"
$authority = "https://login.windows.net/TENANT.onmicrosoft.com" 
$credential=New-Object Microsoft.IdentityModel.Clients.ActiveDirectory.ClientCredential("b1d83e4e-bc77-4919-8791-5408746265c1","<SECRET>")
$authContext = New-Object "Microsoft.IdentityModel.Clients.ActiveDirectory.AuthenticationContext" -ArgumentList $authority,$false
$authResult = $authContext.AcquireToken($resourceAppIdURI, $credential)
$sdkService=new-object Microsoft.Xrm.Sdk.WebServiceClient.OrganizationWebProxyClient("https://ORG.crm2.dynamics.com/xrmservices/2011/organization.svc/web?SdkClientVersion=8.2",$false)
$sdkService.HeaderToken=$authResult.accesstoken
$OrganizationRequest=new-object Microsoft.Xrm.Sdk.OrganizationRequest
$OrganizationRequest.RequestName="WhoAmI"
$sdkService.Execute($OrganizationRequest)

这篇关于使用电子邮件地址和应用程序密码从 oauth2/token 获取访问令牌的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持跟版网!

上一篇:新的 Azure AD 应用程序在通过管理门户更新之前无法运行 下一篇:异步调用时 Azure KeyVault Active Directory AcquireTokenAsync 超时

相关文章

最新文章