Getting access token using email address and app password from oauth2/token(使用电子邮件地址和应用程序密码从 oauth2/token 获取访问令牌)
问题描述
We are using compulsory two factor authentication for our email addresses under our Active Directory.
I have an app that requires a service account, so we created app password for that service account. We acquire access token using following end point -
https://login.windows.net/{tenant_id}/oauth2/token
It works perfectly fine for credentials without two factor authentication and normal password but not for accounts with two factor auth and app password
If we enter app password it returns this error -
AADSTS70002: Error validating credentials. AADSTS50126: Invalid username or password
How can I get it working?
It looks like you are trying to use the Resource Owner Password Credentials Grant, which is in general not recommended (it doesn't support MFA among other things) Instead of using that flow, see if the client credential flow (where you can use an application ID + secret or certificate) fits your needs
In the case of CRM Online, it does support the concept of "application user". You declare the application in AAD with a secret or a certificate. Then you go to CRM Online and add that "application user" with a custom security role.
Then you can use code like this to access CRM web services.
add-type -path "Microsoft.IdentityModel.Clients.ActiveDirectory.dll"
add-type -path "Microsoft.Xrm.Sdk.dll"
$resourceAppIdURI = "https://ORG.crm2.dynamics.com"
$authority = "https://login.windows.net/TENANT.onmicrosoft.com"
$credential=New-Object Microsoft.IdentityModel.Clients.ActiveDirectory.ClientCredential("b1d83e4e-bc77-4919-8791-5408746265c1","<SECRET>")
$authContext = New-Object "Microsoft.IdentityModel.Clients.ActiveDirectory.AuthenticationContext" -ArgumentList $authority,$false
$authResult = $authContext.AcquireToken($resourceAppIdURI, $credential)
$sdkService=new-object Microsoft.Xrm.Sdk.WebServiceClient.OrganizationWebProxyClient("https://ORG.crm2.dynamics.com/xrmservices/2011/organization.svc/web?SdkClientVersion=8.2",$false)
$sdkService.HeaderToken=$authResult.accesstoken
$OrganizationRequest=new-object Microsoft.Xrm.Sdk.OrganizationRequest
$OrganizationRequest.RequestName="WhoAmI"
$sdkService.Execute($OrganizationRequest)
这篇关于使用电子邮件地址和应用程序密码从 oauth2/token 获取访问令牌的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持编程学习网!
本文标题为:使用电子邮件地址和应用程序密码从 oauth2/token
- 输入按键事件处理程序 2022-01-01
- C#MongoDB使用Builders查找派生对象 2022-09-04
- MoreLinq maxBy vs LINQ max + where 2022-01-01
- 如何用自己压缩一个 IEnumerable 2022-01-01
- 良好实践:如何重用 .csproj 和 .sln 文件来为 CI 创建 2022-01-01
- 带有服务/守护程序应用程序的 Microsoft Graph CSharp SDK 和 OneDrive for Business - 配额方面返回 null 2022-01-01
- WebMatrix WebSecurity PasswordSalt 2022-01-01
- C# 中多线程网络服务器的模式 2022-01-01
- Web Api 中的 Swagger .netcore 3.1,使用 swagger UI 设置日期时间格式 2022-01-01
- 在哪里可以找到使用中的C#/XML文档注释的好例子? 2022-01-01
