Auth0 Home Blog Docs

Azure AD integration with Password Grant returns error

azure-ad
password-grant
#1

Hi,
I’m new to this community and Auth0, so sorry if I’m posting this in the wrong forum session.

I have integrated our company Azure AD with Auth0 for some testing. I’m able to generate tokens for users correctly using the Implicit grant. However, when I try with the Password grant flow, it fails.

My request:

curl -X POST
https://javierholguera.eu.auth0.com/oauth/token
-H ‘Accept: /
-H ‘Cache-Control: no-cache’
-H ‘Connection: keep-alive’
-H ‘Content-Type: application/x-www-form-urlencoded’
-H ‘Host: javierholguera.eu.auth0.com
-H ‘Postman-Token: f67c8935-85b2-4029-9411-cd14b32b679c,c86403a1-cbb8-4e85-b842-96740d45e4da’
-H ‘User-Agent: PostmanRuntime/7.11.0’
-H ‘accept-encoding: gzip, deflate’
-H ‘cache-control: no-cache’
-H ‘content-length: 405’
-d 'grant_type=http%3A%2F%2Fauth0.com%2Foauth%2Fgrant-type%2Fpassword-realm&username=auth0%40some-domain.pro&password=[REDACTED]&audience=https%3A%2F%2Fcompany-back-office-api.company.co.uk&scope=openid%20profile%20email%20address%20phone&client_id=lMFpfowtmambV0QtvX6LFaILQwW7Jduw&client_secret=[REDACTED]&realm=some-domain-waad

The error that I get back is:

{
“error”: “invalid_request”,
“error_description”: “AADSTS90009: Application ‘17837d71-23e2-48d7-bc8c-b551d2a3f69e’(17837d71-23e2-48d7-bc8c-b551d2a3f69e) is requesting a token for itself. This scenario is supported only if resource is specified using the GUID based App Identifier.\r\nTrace ID: 1a20622f-f6aa-4243-8426-6d38e1311200\r\nCorrelation ID: bb0255e2-5449-4243-8ade-adce03706957\r\nTimestamp: 2019-05-10 09:55:36Z”
}

Browsing around, seems like the problem might be with Auth0 not sending a “resource” parameter with the client_id instead of the App ID Uri. See: https://stackoverflow.com/questions/42006468/oauth-2-0-and-azure-active-directory-error-aadsts90009

This error is saying that the field you provided in the resource parameter is requesting tokens for itself. In the case you do want to get a token for the app specified in the client_id, then you have to pass the client_id in the resource field rather than the app ID URI. At which point you will receive an access token for self.

I’ve tried configuring my client_id value in Auth0 -> AD settings -> App ID Uri with this value “api://17837d71-23e2-48d7-bc8c-b551d2a3f69e” because it wouldn’t take the client_id alone (not a valid URI) and configured it in Azure AD but still not working.

Any idea how to fix this?

Thanks.