Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Getting graph api token using AcquireTokenByUsernamePassword method for a Federated user

Tags:

c#

azure

azure-active-directory

azure-ad-msal

I've tried acquiring token using ROPC with the username and password provided by client. But the error message was "parsing_wstrust_response_failed". Same as the error message (last error) described here

From this error message I understood my user is a federated user and cannot use this method. Is there any other way to acquire token for a federated user using username and password?

try
{
  result = await app.AcquireTokenByUsernamePassword(scopes,
               "[email protected]",
               securePassword)
               .ExecuteAsync();
}
catch (MsalClientException ex) when  (ex.ErrorCode=="parsing_wstrust_response_failed"){
}
like image 758
Manu Mohan Thekkedath Avatar asked Mar 06 '26 13:03

Manu Mohan Thekkedath

2 Answers

First, a warning: You really should not use username/password in your app. In general, it's less secure and increases the risk you're exposing the associated environment to. It is also a brittle approach, as you will likely find Azure AD will require an interactive sign-in at some time in the future--probably at a very inconvenient time for you.

Second, a clarification: AcquireTokenByUsernamePassword will not always use the Resource Owner Password Credentials (ROPC) OAuth 2.0 flow. When MSAL discovers that the user is part of a federated domain name, the library will attempt a non-interactive username/password authentication if the federated identity provider publishes an metadata exchange document which includes an endpoint supporting this method. If this request succeeds, MSAL will then attempt to exchange the response (issued by the federated identity provider) for the normal token set from Azure AD (issued by Azure AD).

So, to answer your question: It depends. It is possible to use AcquireTokenByUsernamePassword with a federated user. However, it requires that the federated identity service support this. AD FS, which is the most common IdP to be federated with Azure AD, supports this is the "usernamemixed" endpoint.

like image 109
Philippe Signoret Avatar answered Mar 08 '26 01:03

Philippe Signoret

No. There is no way. You need to handle the authentication with another flow.

I mentioned this downside in my recent article: https://joonasw.net/view/ropc-grant-flow-in-azure-ad

like image 38
juunas Avatar answered Mar 08 '26 02:03

juunas
Sign in to Comment

Related questions

Unity - Perlin noise Octaves

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!