ACCESS_DENIED资源所有者密码证书在Azure的AD B2C流

问题描述 投票:0回答:2

我跟着下面这篇文章,但我得到了下面的错误,从测试到的用户流量部分:

https://docs.microsoft.com/en-gb/azure/active-directory-b2c/configure-ropc

HTTP/1.1 400 Bad Request
Cache-Control: private
Content-Type: application/json; charset=utf-8
Server: Microsoft-IIS/10.0
x-ms-gateway-requestid: fd437d7a-fd0e-42bf-adcf-0969f5dcf74d
X-Frame-Options: DENY
Strict-Transport-Security: max-age=31536000; includeSubDomains
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
Set-Cookie: x-ms-cpim-trans=; domain=mytenant.b2clogin.com; expires=Tue, 29-Jan-2019 13:35:09 GMT; path=/; secure; HttpOnly
Date: Wed, 30 Jan 2019 13:35:08 GMT
Content-Length: 217

{"error":"access_denied","error_description":"AADB2C90225: The username or password provided in the request are invalid.\r\nCorrelation ID: 9b3c19e2-6084-4bcd-b7d3-aab8d2c34dd9\r\nTimestamp: 2019-01-30 13:35:09Z\r\n"}

请求发送:

POST https://mytenant.b2clogin.com/mytenant.onmicrosoft.com/oauth2/v2.0/token?p=B2C_1_ROPC_Auth HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: mytenant.b2clogin.com

username=myemail&password=password&grant_type=password&scope=openid myappId offline_access&client_id=myappId&response_type=token+id_token

我是一个全球性的管理,但我能够创造用户流量,注册应用程序等。

我使用招发送请求,所以它是不相关的Web应用程序/的WebAPI。

用户名(例如myname@myfirm.com)和密码是正确的,这是用来登录天青门户设置样品。

任何想法?

更新

请注意,我用的是在我公司的Active Directory用户角色的用户,但用户与新创建的AD B2C租户以下https://docs.microsoft.com/en-gb/azure/active-directory-b2c/tutorial-create-tenant相关联的Active Directory中的全局管理

azure azure-active-directory azure-ad-b2c
2个回答
1
投票

资源所有者密码凭证流动,这是由the Configure the resource owner password credentials flow in Azure AD B2C article的描述,并不旨在为管理员验证用户凭证。

它是专为谁拥有或者(a)已经created as a local account using the Azure AD Graph API或(b)将自身注册使用注册流程的最终用户进行身份验证凭据。


0
投票

基本上,如果你按照文档here。因为在步骤4的指示有误,您将收到此错误消息。

在你TrustFrameworkExtensions文件。你应该有这样的事情在你本地帐户登入ClaimsProvider - > TechnicalProfiles

    <TechnicalProfile Id="ResourceOwnerPasswordCredentials-OAUTH2">
      <DisplayName>Local Account SignIn</DisplayName>
      <Protocol Name="OpenIdConnect" />
      <Metadata>
        <Item Key="UserMessageIfClaimsPrincipalDoesNotExist">We can't seem to find your account</Item>
        <Item Key="UserMessageIfInvalidPassword">Your password is incorrect</Item>
        <Item Key="UserMessageIfOldPasswordUsed">Looks like you used an old password</Item>
        <Item Key="DiscoverMetadataByTokenIssuer">true</Item>
        <Item Key="ValidTokenIssuerPrefixes">https://sts.windows.net/</Item>
        <Item Key="METADATA">https://login.microsoftonline.com/{AzureADB2C-Tenant-Name}.onmicrosoft.com/.well-known/openid-configuration</Item>
        <Item Key="authorization_endpoint">https://login.microsoftonline.com/{AzureADB2C-Tenant-Name}.onmicrosoft.com/oauth2/token</Item>
        <Item Key="response_types">id_token</Item>
        <Item Key="response_mode">query</Item>
        <Item Key="scope">email openid</Item>
      </Metadata>
      <InputClaims>
        <InputClaim ClaimTypeReferenceId="logonIdentifier" PartnerClaimType="username" Required="true" DefaultValue="{OIDC:Username}"/>
        <InputClaim ClaimTypeReferenceId="password" Required="true" DefaultValue="{OIDC:Password}" />
        <InputClaim ClaimTypeReferenceId="grant_type" DefaultValue="password" />
        <InputClaim ClaimTypeReferenceId="scope" DefaultValue="openid" />
        <InputClaim ClaimTypeReferenceId="nca" PartnerClaimType="nca" DefaultValue="1" />
        <InputClaim ClaimTypeReferenceId="client_id" DefaultValue="{Proxy-Identity-Experience-Framework-ClientId}" />
        <InputClaim ClaimTypeReferenceId="resource_id" PartnerClaimType="resource" DefaultValue="{Identity-Experience-Framework-ClientId}" />
      </InputClaims>
      <OutputClaims>
        <OutputClaim ClaimTypeReferenceId="objectId" PartnerClaimType="oid" />
        <OutputClaim ClaimTypeReferenceId="userPrincipalName" PartnerClaimType="upn" />
      </OutputClaims>
      <OutputClaimsTransformations>
        <OutputClaimsTransformation ReferenceId="CreateSubjectClaimFromObjectID" />
      </OutputClaimsTransformations>
      <UseTechnicalProfileForSessionManagement ReferenceId="SM-Noop" />
    </TechnicalProfile>

注意RESOURCE_ID应该IdentityExperienceFramework应用程序(客户端)ID,而不是ProxyIdentityExperienceFramework微软的文档中描述。我提交了在GitHub上纠正这种请求。


推荐问答