问题描述

我正在尝试以下方法从azure活动目录获取访问令牌

我在c夏普中的代码如下

 公共异步任务< string>validateADPCredential(字符串数据){数据= HttpUtility.UrlDecode(数据);ADPCredential adpCredential = JsonConvert.DeserializeObject< ADPCredential>(数据);尝试{字符串clientId = ConfigurationManager.AppSettings ["azureclient_id"];字符串clientSecret = ConfigurationManager.AppSettings ["azureclient_secret"];字符串tenant = ConfigurationManager.AppSettings ["tenantId"];字符串资源= ConfigurationManager.AppSettings ["resource"];var Authority ="https://login.microsoftonline.com/" +租户；var azureAdEndpoint =新的Uri("https://login.microsoftonline.com/eshaweb.onmicrosoft.com/oauth2/v2.0/token");var urlEncodedContent = new FormUrlEncodedContent(new []{新的KeyValuePair< string，string>("grant_type"，"password")，new KeyValuePair< string，string>("client_id"，clientId)，//使用api客户端ID新的KeyValuePair< string，string>(用户名"，adpCredential.Username)，新的KeyValuePair< string，string>("password"，adpCredential.Password)，新的KeyValuePair< string，string>("client_secret"，clientSecret)，新的KeyValuePair< string，string>("scope"，"https://graph.microsoft.com/.default")，});HttpClient httpClient =新的HttpClient();var result = await httpClient.PostAsync(azureAdEndpoint，urlEncodedContent);{var content =等待结果.Content.ReadAsStringAsync();var authResult = JsonConvert.DeserializeObject< dynamic>(内容);返回authResult.access_token;}}抓住(前例外){}返回string.Empty;} 

此代码工作正常，我能够为活动目录的内部用户获取令牌.但是对于gmail用户(外部用户)，我会遇到以下错误.

  {{ 

错误":"invalid_grant"，"error_description":"AADSTS50034:esheb.onmicrosoft.com目录中不存在用户帐户{EmailHidden}.要登录此应用程序，必须将该帐户添加到目录中.\ r \ nTrace ID:0222e890-a19e-4694-a004-327f2312aa00 \ r \ n关联ID:8587e63d-9cd-4257-aa6c-1ef394d03f56 \ r \ n时间戳:2020-06-09 16:57:03Z，错误代码":[50034]，"timestamp":"2020-06-09 16:57:03Z"，"trace_id":"0222e90-a19e-4694-a004-327f2312aa00"，"correlation_id":"8587e63d-c6d-4257-aa6c-1ef394d03f56"，"error_uri":"

参考:

Microsoft身份平台和OAuth 2.0资源所有者密码凭证

i am trying the following method to get the access token from azure active directory

my code in c sharp is as below

   public async Task<string> validateADPCredential(string data)
    {
        data = HttpUtility.UrlDecode(data);
        ADPCredential adpCredential = JsonConvert.DeserializeObject<ADPCredential>(data);

        try
        {
            string clientId = ConfigurationManager.AppSettings["azureclient_id"];
            string clientSecret = ConfigurationManager.AppSettings["azureclient_secret"];
            string tenant = ConfigurationManager.AppSettings["tenantId"];
            string resource = ConfigurationManager.AppSettings["resource"];

            var authority = "https://login.microsoftonline.com/" + tenant;


            var azureAdEndpoint = new Uri("https://login.microsoftonline.com/eshaweb.onmicrosoft.com/oauth2/v2.0/token");
            var urlEncodedContent = new FormUrlEncodedContent(new[]
            {
               new KeyValuePair<string, string>("grant_type", "password"),


               new KeyValuePair<string, string>("client_id", clientId), //using the api client id
               new KeyValuePair<string, string>("username", adpCredential.Username),
               new KeyValuePair<string, string>("password", adpCredential.Password),
               new KeyValuePair<string, string>("client_secret", clientSecret),
               new KeyValuePair<string, string>("scope", "https://graph.microsoft.com/.default"),

        });

            HttpClient httpClient = new HttpClient();
            var result = await httpClient.PostAsync(azureAdEndpoint, urlEncodedContent);
            {
                var content = await result.Content.ReadAsStringAsync();
                var authResult = JsonConvert.DeserializeObject<dynamic>(content);
                return authResult.access_token;
            }
        }
        catch (Exception ex)
        {

        }
        return string.Empty;

    }

this code is working fine and i able to get the token for for internal user of active directory.but for gmail user(external user) i am getting the following error.

{{

"error": "invalid_grant", "error_description": "AADSTS50034: The user account {EmailHidden} does not exist in the esheb.onmicrosoft.com directory. To sign into this application, the account must be added to the directory.\r\nTrace ID: 0222e890-a19e-4694-a004-327f2312aa00\r\nCorrelation ID: 8587e63d-9cd-4257-aa6c-1ef394d03f56\r\nTimestamp: 2020-06-09 16:57:03Z", "error_codes": [ 50034 ], "timestamp": "2020-06-09 16:57:03Z", "trace_id": "0222e90-a19e-4694-a004-327f2312aa00", "correlation_id": "8587e63d-c6d-4257-aa6c-1ef394d03f56", "error_uri": "https://login.microsoftonline.com/error?code=50034"}}

again if i tried to get the token in the following method

https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-auth-code-flow

i am able to get the token for internal and external user of the azure active directory.

can any one find out the solution for me .

It is not supported for gmail user(external user) to use ROPC, you can find the document as below.

Reference:

Microsoft identity platform and OAuth 2.0 Resource Owner Password Credentials