0

I migrate some code from @azure/ms-node-auth to @azure/identity which authenticates against Azure Active Directory (AAD) via loginWithUsernamePassword. The migration guide points to UsernamePasswordCredential class, but it denies my request.

// Working @azure/ms-node-auth snippet
async function getTokenLegacy(): Promise<string> {
  const credentials = await msRestNodeAuth.loginWithUsernamePassword(
    USERNAME,
    PASSWORD, {
      domain: AAD_TENANT_ID,
      clientId: CUSTOM_CLIENT_ID,
      tokenAudience: CUSTOM_APP_ID,
    },
  );
  return (await credentials.getToken()).accessToken;
}

// Non-working migrated @azure/identity version
async function getTokenMigrated(): Promise<string> {
  const credentials = new UsernamePasswordCredential(
    AAD_TENANT_ID, 
    CUSTOM_CLIENT_ID, 
    USERNAME, 
    PASSWORD);
  return (await credentials.getToken(CUSTOM_APP_ID)).token;
}

The following error occurs.

AADSTS50126: Error validating credentials due to invalid username or password.

The user has a federated account and @azure/ms-rest-nodeauth verifies the credentials via the SAML protocol.

UserRealm: VERBOSE: UserRealm response:
UserRealm: VERBOSE:  AccountType:             federated
UserRealm: VERBOSE:  FederationProtocol:      wstrust
TokenRequest: VERBOSE: Acquiring token with username password for federated user
...
WSTrustResponse: INFO: Found token of type: urn:oasis:names:tc:SAML:1.0:assertion
TokenRequest: VERBOSE: Performing OAuth assertion grant type exchange.
sschmeck
  • 7,233
  • 4
  • 40
  • 67
  • Hello @sschmeck, Could you please refer this https://stackoverflow.com/questions/65199330/invalid-grant-aadsts50126-error-validating-credentials-due-to-invalid-username ,May it helps – AjayKumarGhose Dec 24 '21 at 07:36
  • Creating a cloud only user isn't easiely achievable in my environment. Therefore I search for another solution, @AjayKumarGhose-MT – sschmeck Jan 03 '22 at 12:07

1 Answers1

0

  • Please try resetting the password, otherwise you can use the below workaround

  • As you are using federated authentication you will get redirected to the federated identity for verification. When you are using ropc flow by passing the username and password the redirection does not happen and gives an error of invalid username or password .

In order to make this work you need to disable federated authentication and use manage authentication from AAD site so that no redirection is required . So you will need to create a user from AAD site .

For more information please refer this MS Q&A answer suggested by @amanpreetsingh-msft & @MarileeTurscak-MSFT .

Still , if you want to use federated authentication you can refer this blog .

AjayKumarGhose
  • 4,257
  • 2
  • 4
  • 15