Azure AD integration with Password Grant returns error

Hi,
I’m new to this community and Auth0, so sorry if I’m posting this in the wrong forum session.

I have integrated our company Azure AD with Auth0 for some testing. I’m able to generate tokens for users correctly using the Implicit grant. However, when I try with the Password grant flow, it fails.

My request:

curl -X POST
https://javierholguera.eu.auth0.com/oauth/token
-H ‘Accept: /
-H ‘Cache-Control: no-cache’
-H ‘Connection: keep-alive’
-H ‘Content-Type: application/x-www-form-urlencoded’
-H ‘Host: javierholguera.eu.auth0.com
-H ‘Postman-Token: f67c8935-85b2-4029-9411-cd14b32b679c,c86403a1-cbb8-4e85-b842-96740d45e4da’
-H ‘User-Agent: PostmanRuntime/7.11.0’
-H ‘accept-encoding: gzip, deflate’
-H ‘cache-control: no-cache’
-H ‘content-length: 405’
-d 'grant_type=http%3A%2F%2Fauth0.com%2Foauth%2Fgrant-type%2Fpassword-realm&username=auth0%40some-domain.pro&password=[REDACTED]&audience=https%3A%2F%2Fcompany-back-office-api.company.co.uk&scope=openid%20profile%20email%20address%20phone&client_id=lMFpfowtmambV0QtvX6LFaILQwW7Jduw&client_secret=[REDACTED]&realm=some-domain-waad

The error that I get back is:

{
“error”: “invalid_request”,
“error_description”: “AADSTS90009: Application ‘17837d71-23e2-48d7-bc8c-b551d2a3f69e’(17837d71-23e2-48d7-bc8c-b551d2a3f69e) is requesting a token for itself. This scenario is supported only if resource is specified using the GUID based App Identifier.\r\nTrace ID: 1a20622f-f6aa-4243-8426-6d38e1311200\r\nCorrelation ID: bb0255e2-5449-4243-8ade-adce03706957\r\nTimestamp: 2019-05-10 09:55:36Z”
}

Browsing around, seems like the problem might be with Auth0 not sending a “resource” parameter with the client_id instead of the App ID Uri. See: https://stackoverflow.com/questions/42006468/oauth-2-0-and-azure-active-directory-error-aadsts90009

This error is saying that the field you provided in the resource parameter is requesting tokens for itself. In the case you do want to get a token for the app specified in the client_id, then you have to pass the client_id in the resource field rather than the app ID URI. At which point you will receive an access token for self.

I’ve tried configuring my client_id value in Auth0 -> AD settings -> App ID Uri with this value “api://17837d71-23e2-48d7-bc8c-b551d2a3f69e” because it wouldn’t take the client_id alone (not a valid URI) and configured it in Azure AD but still not working.

Any idea how to fix this?

Thanks.

Hey there!

Sorry for such huge delay in response! We’re doing our best in providing you with best developer support experience out there, but sometimes our bandwidth is not enough comparing to the number of incoming questions.

Wanted to reach out to know if you still require further assistance?