Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

[Bug] Error AADSTS9001023 when using AcquireTokenByUsernamePassword() and the correct permissions are set within the app settings in AAD

See original GitHub issue

Which Version of MSAL are you using ? 3.0.0 preview Note that to get help, you need to run the latest version. Preview version are also ok. For ADAL, please log issues to https://github.com/AzureAD/azure-activedirectory-library-for-dotnet

Platform

net4.5 framework What authentication flow has the issue?

Desktop / Mobile
- Interactive
- Integrated Windows Auth
- Username Password
- Device code flow (browserless)
Web App
- Authorization code
- OBO
Web API
- OBO

Other? - please describe;

Is this a new or existing app?

This is a new app or experiment

Repro

        static async Task<GraphServiceClient> Auth()
        {

            var clientApp = PublicClientApplicationBuilder.Create(ConfigurationManager.AppSettings["clientId"]).Build();
            string[] scopes = new string[] { "user.read" };
            string token = null;
            var app = PublicClientApplicationBuilder.Create(ConfigurationManager.AppSettings["clientId"]).Build();
            AuthenticationResult result = null;
            var accounts = await app.GetAccountsAsync();
            var securePassword = new SecureString();
            foreach (char c in "dummy")        // you should fetch the password
            securePassword.AppendChar(c);  // keystroke by keystroke
            result = await app.AcquireTokenByUsernamePassword(scopes, "joe@contoso.com",securePassword).ExecuteAsync();
			token = result.AccessToken;
            GraphServiceClient graphClient = new GraphServiceClient(
                        "https://graph.microsoft.com/v1.0",
                        new DelegateAuthenticationProvider(
                            async (requestMessage) =>
                            {
                                requestMessage.Headers.Authorization = new AuthenticationHeaderValue("bearer", token);
                            }));
            return graphClient;
        }

Expected behavior Hardcoded credentials are used to gather the Access Token Actual behavior Microsoft.Identity.Client.MsalServiceException: 'AADSTS9001023: The grant type is not supported over the /common or /consumers endpoints. Please use the /organizations or tenant-specific endpoint.

Additional context/ Logs / Screenshots https://i.imgur.com/XwncoAm.png https://i.imgur.com/0TtxAhi.png

Following the MSDoc here the application is configured correctly to allow multi tenancy. The purpose of my application is to allow any user to (eventually) pass in credentials via the command line as arguments, so it will work for any AAD tenant, not just one. The hardcoded credentials in the sample are not the credentials I use, I use a .onmicrosoft.com account (whom is a user in my AAD instance). Redirect URI is set to use /organizations instead of /common as well.

Issue Analytics

State:
Created 4 years ago
Comments:9 (4 by maintainers)

Top GitHub Comments

2reactions

bgavrilMScommented, Jan 13, 2020

I’m going to leave this open as a bug for us to provide a better experience.

1reaction

bgavrilMScommented, Aug 12, 2021

That’s an app scope - it essentially means “I want to read the directory for ALL the users in my tenant”. App scopes can be obtained via AcquireTokenForClient / client_credential only.